Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545085
MD5:	59b54224956fe92c6cf81ff78616cf7f
SHA1:	6b0ef89648fd13d05bc8a4f0f1f313c5186f6454
SHA256:	bf8c8b70bc76645ba18ab3d6a37b6139ac2d298f058c519ad36d458c4ebc5607
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4996 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 59B54224956FE92C6CF81FF78616CF7F)

taskkill.exe (PID: 4832 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5276 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5376 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2828 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1292 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3064 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2608 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7148 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6360 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab10e24-fd26-47a6-a30f-3c3a34f93290} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c7d370710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4268 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -parentBuildID 20230927232528 -prefsHandle 4360 -prefMapHandle 3924 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1310df77-ec61-4df6-93b3-c28fa807be12} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c151fae10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7696 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a0a801-27a0-47f3-8aa4-31142e5b059f} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c15983510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2173903998.000000000109F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 4996	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0098EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0098EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0098ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0098EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0097AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2112421779.00000000009D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a44b22a2-c
Source: file.exe, 00000000.00000000.2112421779.00000000009D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ae6664e7-7
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9b72f529-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_421d04c0-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002D7003741B7 NtQuerySystemInformation,		17_2_000002D7003741B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002D7003952B2 NtQuerySystemInformation,		17_2_000002D7003952B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0097D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00971201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00971201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0097E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00982046	0_2_00982046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00918060	0_2_00918060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00978298	0_2_00978298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094E4FF	0_2_0094E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094676B	0_2_0094676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A4873	0_2_009A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093CAA0	0_2_0093CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091CAF0	0_2_0091CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092CC39	0_2_0092CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00946DD9	0_2_00946DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009191C0	0_2_009191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092B119	0_2_0092B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931394	0_2_00931394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931706	0_2_00931706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093781B	0_2_0093781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009319B0	0_2_009319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00917920	0_2_00917920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092997D	0_2_0092997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00937A4A	0_2_00937A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00937CA7	0_2_00937CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931C77	0_2_00931C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00949EEE	0_2_00949EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099BE44	0_2_0099BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931F32	0_2_00931F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002D7003741B7	17_2_000002D7003741B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002D7003952B2	17_2_000002D7003952B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002D7003952F2	17_2_000002D7003952F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002D7003959DC	17_2_000002D7003959DC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00919CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0092F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00930A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009837B5 GetLastError,FormatMessageW,

0_2_009837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009710BF AdjustTokenPrivileges,CloseHandle,		0_2_009710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0097D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0098648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2263502295.0000018C1594F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263193410.0000018C16E3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2269549918.0000018C15992000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302182141.0000018C15994000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2341585239.0000018C15916000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab10e24-fd26-47a6-a30f-3c3a34f93290} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c7d370710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -parentBuildID 20230927232528 -prefsHandle 4360 -prefMapHandle 3924 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1310df77-ec61-4df6-93b3-c28fa807be12} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c151fae10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a0a801-27a0-47f3-8aa4-31142e5b059f} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c15983510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab10e24-fd26-47a6-a30f-3c3a34f93290} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c7d370710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -parentBuildID 20230927232528 -prefsHandle 4360 -prefMapHandle 3924 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1310df77-ec61-4df6-93b3-c28fa807be12} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c151fae10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a0a801-27a0-47f3-8aa4-31142e5b059f} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c15983510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2278856255.0000018C0CD42000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2261315762.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267679439.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WinTypes.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2287485420.0000018C17A01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8softokn3.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2261315762.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267679439.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8twinapi.appcore.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2261315762.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267679439.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2261315762.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267679439.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreMessaging.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8bcryptprimitives.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2287485420.0000018C17A01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2261315762.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267679439.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gkcodecs.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ExplorerFrame.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2261315762.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267679439.0000018C186CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreUIComponents.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8osclientcerts.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cryptbase.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iertutil.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ColorAdapterClient.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8powrprof.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8MMDevAPI.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8oleaut32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8TextInputFramework.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8InputHost.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8audioses.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47mrm.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netutils.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8rasadhlp.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47Langs.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp_win.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8wtsapi32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8taskschd.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2278856255.0000018C0CD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8fwpuclnt.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8advapi32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Storage.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8OnDemandConnRouteHelper.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Globalization.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8directmanipulation.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8lgpllibs.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261286012.0000018C186FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gdi32full.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8DataExchange.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8linkinfo.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000E.00000003.2267281646.0000018C18733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261100502.0000018C18733000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00930A76 push ecx; ret

0_2_00930A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0092F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98174

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002D7003741B7 rdtsc

17_2_000002D7003741B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0097DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094C2A2 FindFirstFileExW,	0_2_0094C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009868EE FindFirstFileW,FindClose,	0_2_009868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0098698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0097D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0097D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00989642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00989642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0098979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00989B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00989B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00985C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00985C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Source: firefox.exe, 00000011.00000002.3378277482.000002D77F55A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpo
Source: firefox.exe, 00000010.00000002.3381910270.0000022E94000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: firefox.exe, 00000012.00000002.3376051159.0000015BCFBAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP'
Source: firefox.exe, 00000010.00000002.3376634642.0000022E93A4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3381910270.0000022E94000000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3382245538.000002D77FD10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3380119795.0000015BD0010000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000E.00000003.2340002015.0000018C7F4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3381209789.0000022E93F18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3381910270.0000022E94000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: firefox.exe, 00000010.00000002.3381910270.0000022E94000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: firefox.exe, 00000010.00000002.3381910270.0000022E94000000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3382245538.000002D77FD21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002D7003741B7 rdtsc

17_2_000002D7003741B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098EAA2 BlockInput,

0_2_0098EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00942622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00942622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00934CE8 mov eax, dword ptr fs:[00000030h]

0_2_00934CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00970B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00970B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00942622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00942622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0093083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009309D5 SetUnhandledExceptionFilter,	0_2_009309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00930C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00930C21

Source: C:\Users\user\Desktop\file.exe

0_2_00971201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00952BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00952BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097B226 SendInput,keybd_event,

0_2_0097B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00970B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00971663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00971663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00930698 cpuid

0_2_00930698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00988195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00988195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0096D27A GetUserNameW,

0_2_0096D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0094B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0094B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2173903998.000000000109F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4996, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2173903998.000000000109F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4996, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00991204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00991204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00991806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00991806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.65	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.193.91	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.186.142	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.186.142	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.1.140	true	false		unknown
ipv4only.arpa	192.0.0.171	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3377428655.0000015BCFFC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2263193410.0000018C16E3A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2295097301.0000018C15457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189419840.0000018C1545D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190303955.0000018C15465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191543690.0000018C1545E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2286253948.0000018C15454000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 0000000E.00000003.2257215804.0000018C7F3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3377990728.0000022E93DE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3379278089.000002D77F7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3380317321.0000015BD0206000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3379278089.000002D77F786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3377428655.0000015BCFF8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2336299581.0000018C0F067000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2264151254.0000018C156E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341750088.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347204623.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331303872.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2270362914.0000018C0F5B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2339702638.0000018C7FC3A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2270937546.0000018C0F572000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270781565.0000018C0F58B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2162259975.0000018C0CF1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162467420.0000018C0CF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160495711.0000018C0D400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162894228.0000018C0CF81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162685002.0000018C0CF60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2355999675.0000018C0DCE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2341316494.0000018C16EEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262911048.0000018C16EEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335000129.0000018C16EEB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2321715562.0000018C16F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2162259975.0000018C0CF1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162467420.0000018C0CF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160495711.0000018C0D400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162894228.0000018C0CF81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162685002.0000018C0CF60000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2377859800.0000018C0E639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337554102.0000018C0E639000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2162259975.0000018C0CF1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162467420.0000018C0CF3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2160495711.0000018C0D400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162685002.0000018C0CF60000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2350684506.0000018C0E737000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2377551426.0000018C0F085000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2336299581.0000018C0F067000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2316004735.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2270362914.0000018C0F5B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264151254.0000018C1565E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2338892296.0000018C7FCD3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2321715562.0000018C16F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/dates-and-times	firefox.exe, 0000000E.00000003.2340370661.0000018C7F361000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257215804.0000018C7F361000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2356425348.0000018C0DCA7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2297678307.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223850268.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2168443111.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2169346710.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2316004735.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264151254.0000018C1565E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3379278089.000002D77F703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3377428655.0000015BCFF0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2225162215.0000018C0F891000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225422569.0000018C0F893000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2349870670.0000018C0EFC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2264151254.0000018C156E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341750088.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347204623.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331303872.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2348804837.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2266297570.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353593170.0000018C0FAD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316004735.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3377428655.0000015BCFFC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2377017495.0000018C0FF1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2273911287.0000018C0F490000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203644639.0000018C0F490000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310356233.0000018C0F496000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2344296166.0000018C16BFA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2353691478.0000018C0FA4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2355398033.0000018C0E1E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 0000000E.00000003.2257215804.0000018C7F3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3377990728.0000022E93DE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3379278089.000002D77F7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3380317321.0000015BD0206000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 0000000E.00000003.2257215804.0000018C7F3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3377990728.0000022E93DE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3379278089.000002D77F7E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3380317321.0000015BD0206000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2334225284.0000018C16F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2270362914.0000018C0F5B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3376081932.000002D700413000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3377428655.0000015BCFF13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2264151254.0000018C156E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341750088.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347204623.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331303872.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3379852326.0000015BD0000000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2266617229.0000018C0FA7B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000E.00000003.2321715562.0000018C16F29000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2377859800.0000018C0E65F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320859200.0000018C0CF4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287343225.0000018C0EC25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284647035.0000018C0DAF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300283265.0000018C0C8AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273911287.0000018C0F490000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194006853.0000018C1538E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2351579904.0000018C0E616000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194006853.0000018C1539D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270078210.0000018C155C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284647035.0000018C0DAA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2349008023.0000018C0FA48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2203644639.0000018C0F490000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2333477926.0000018C0DAB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264423684.0000018C1561F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287343225.0000018C0EC21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205133279.0000018C0F4EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291397338.0000018C0EC25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273911287.0000018C0F4AB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2377859800.0000018C0E639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337554102.0000018C0E639000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2377859800.0000018C0E639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2337554102.0000018C0E639000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2325954637.0000018C15594000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2262911048.0000018C16EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356425348.0000018C0DCA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264423684.0000018C15613000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2262911048.0000018C16EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2356425348.0000018C0DCA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264423684.0000018C15613000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2295097301.0000018C15457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189419840.0000018C1545D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190303955.0000018C15465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2191543690.0000018C1545E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2286253948.0000018C15454000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2340002015.0000018C7F4C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2315068917.0000018C1585E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269877133.0000018C1585E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2324754557.0000018C1585E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263965345.0000018C1585E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346706317.0000018C1585F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2270781565.0000018C0F58B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2322799226.0000018C15ACC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375493887.0000018C15ACC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2192919310.0000018C15ACC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2225162215.0000018C0F891000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225301858.0000018C0FB26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225422569.0000018C0F893000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2297678307.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223850268.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2168443111.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2169346710.0000018C0D3DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2348804837.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2266297570.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353593170.0000018C0FAD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316004735.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2331303872.0000018C15686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2264151254.0000018C156E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341750088.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347204623.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2331303872.0000018C156E4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2263193410.0000018C16E3A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3380710160.0000022E93E00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3381804023.000002D77F800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3376849082.0000015BCFD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2162685002.0000018C0CF60000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545085
Start date and time:	2024-10-30 04:33:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 93% Number of executed functions: 41 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 35.160.212.113, 54.185.230.140, 142.250.185.238, 2.22.61.56, 2.22.61.72, 172.217.16.206, 172.217.18.14, 142.250.184.234
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7148 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:34:15	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/creditodigitalelmo.com.br/solo/i2975ufuy18zkhauvhibzzxy/YWRzQGJldHdlZW4udXM=	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	https://alcatrazpackages.com/elchapo.html	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_171a69cd-80c3-4780-8369-c55dff4c9a4f.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.174865008144005
Encrypted:	false
SSDEEP:	192:MKMiAi9cbhbVbTbfbRbObtbyEl7ncr7JA6wnSrDtTkd/S8:MPQcNhnzFSJ8ryjnSrDhkd/x
MD5:	EE183450B1BA4D275A08F9F683EF789E
SHA1:	4A1E9DC6CF1B2B4D268F508930C03E82528514B3
SHA-256:	3572F51B3F12D326810D494DF585773784639F37AC6A1D604AD0BD43F3EEF8BA
SHA-512:	BCF63CD8B9A8DF42C066A6DE601F3AFD9137D774CFB37D91EB9B4ED1817950E676A45F57D11E349547636A2A1B7B6B471350956F90097D8C79806BF6D5876B05
Malicious:	false
Preview:	{"type":"uninstall","id":"171a69cd-80c3-4780-8369-c55dff4c9a4f","creationDate":"2024-10-30T04:49:30.417Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_171a69cd-80c3-4780-8369-c55dff4c9a4f.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.174865008144005
Encrypted:	false
SSDEEP:	192:MKMiAi9cbhbVbTbfbRbObtbyEl7ncr7JA6wnSrDtTkd/S8:MPQcNhnzFSJ8ryjnSrDhkd/x
MD5:	EE183450B1BA4D275A08F9F683EF789E
SHA1:	4A1E9DC6CF1B2B4D268F508930C03E82528514B3
SHA-256:	3572F51B3F12D326810D494DF585773784639F37AC6A1D604AD0BD43F3EEF8BA
SHA-512:	BCF63CD8B9A8DF42C066A6DE601F3AFD9137D774CFB37D91EB9B4ED1817950E676A45F57D11E349547636A2A1B7B6B471350956F90097D8C79806BF6D5876B05
Malicious:	false
Preview:	{"type":"uninstall","id":"171a69cd-80c3-4780-8369-c55dff4c9a4f","creationDate":"2024-10-30T04:49:30.417Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925044786320928
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakN2966xeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LV/8P
MD5:	27C093B32E647960E74012D64AF07DDC
SHA1:	9D14405B965A773D78041B97B56CF2A9E31DAC74
SHA-256:	E35F9EECD6DCD4A06FE7EC777C8542E0BFAA941C6830D78CA99460777787A646
SHA-512:	9A3485EB4496E2DFBBEBF1F5B2EFF2DFFD415D0FFC71B64B70AF714AFD24B58936E33573F2ACA997BCBC4ADF341D73F4BBA350BECB27982A256A7F12E16793F0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925044786320928
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakN2966xeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LV/8P
MD5:	27C093B32E647960E74012D64AF07DDC
SHA1:	9D14405B965A773D78041B97B56CF2A9E31DAC74
SHA-256:	E35F9EECD6DCD4A06FE7EC777C8542E0BFAA941C6830D78CA99460777787A646
SHA-512:	9A3485EB4496E2DFBBEBF1F5B2EFF2DFFD415D0FFC71B64B70AF714AFD24B58936E33573F2ACA997BCBC4ADF341D73F4BBA350BECB27982A256A7F12E16793F0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733666067446506
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	5FE83CFBDAC1FD3695EBE9803F788030
SHA1:	C121EA1EBBD2553F6B17ED845F6203B314CA31BF
SHA-256:	B008D38D9ADFFA69D25E87325E4E3B59A99687EE400DF3F3788EF84E08EBDD18
SHA-512:	F34F3DE79AF1E9097AA79E7223F9D04D6ED219D8A91043B05C081C2431F91411C339EB0CB8E425412EB867EE60795366645BF9BBC1E06295CD80BCB514C3B609
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035822017202226504
Encrypted:	false
SSDEEP:	3:GtlstFc+sywgS2B3lstFc+sywgS2c89//alEl:GtWte+Sb2B3Wte+Sb2c89XuM
MD5:	715AC4F29D0E982F34E7A2C9AD273D0E
SHA1:	5F9C4ACEB7EEBA504801DF97DBBFAAFBC7DF9915
SHA-256:	479A6329CB1AB7EB0F74AE685159DBBCAF2899A998504C9AEC7E152D6CE31E4D
SHA-512:	CCB972D2D35CDA119F60433FB6D4B4E38F98A807117D5FD47746AEA4BD7C4013BB8C14C97670E0388415604B2990E86F82A968076EE748758E5AFA3069575880
Malicious:	false
Preview:	..-......................;..P.%....b....k..#..-......................;..P.%....b....k..#........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03998118428817617
Encrypted:	false
SSDEEP:	3:Ol16+76aPHlofVq6q4Mvltl8rEXsxdwhml8XW3R2:KwS6aPHGq6q4Mvltl8dMhm93w
MD5:	29C43C49CDC3A29D32DDFEF4561DD7C6
SHA1:	05FAE1B2479A08D4430518965FECFB24AD0C8B3E
SHA-256:	1316CD501D0659C38DDC57308D7A51165C286DBB89EAE00B9A42052ADFF2A8FB
SHA-512:	45562A9745AB42E220C459B055FC601949B56AB2FB3CB6D3FC9DA4D767B65F24341BB5732B05050BB5AD9488E09AADB36DA6DEA48C619A9D0B59BFC58B2BC0A0
Malicious:	false
Preview:	7....-..............b.._..................b....;.%.P.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	modified
Size (bytes):	13187
Entropy (8bit):	5.476712816250289
Encrypted:	false
SSDEEP:	192:L+nPOeRnLYbBp6dJ0aX+V6SEXKqBNpfS5RHWNBw8dZSl:4De4JUMLL0HEwa0
MD5:	44A1B5126348D27C84B35D3564DCF92E
SHA1:	65D92269993A761066E4113572D77A5285EC2620
SHA-256:	E4E9D4DD18332C4D28BC91D64DC1CAE79018EC941408F0635D5851FBC5B8BA6E
SHA-512:	3979819B0AC615F9D6A2394A5FA7A7919714A9A591F246879245CED19897A5508747D758535F330CE65938881C4CFFE84E9824A38625F4C184A56985C7A65247
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730263740);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730263740);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730263740);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173026

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.476712816250289
Encrypted:	false
SSDEEP:	192:L+nPOeRnLYbBp6dJ0aX+V6SEXKqBNpfS5RHWNBw8dZSl:4De4JUMLL0HEwa0
MD5:	44A1B5126348D27C84B35D3564DCF92E
SHA1:	65D92269993A761066E4113572D77A5285EC2620
SHA-256:	E4E9D4DD18332C4D28BC91D64DC1CAE79018EC941408F0635D5851FBC5B8BA6E
SHA-512:	3979819B0AC615F9D6A2394A5FA7A7919714A9A591F246879245CED19897A5508747D758535F330CE65938881C4CFFE84E9824A38625F4C184A56985C7A65247
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730263740);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730263740);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730263740);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173026

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.342035409354263
Encrypted:	false
SSDEEP:	48:GUpOxrZkEtnRcoeg3U3erjxwN4Jwc3zBtT:AZNRFTMX4mc/
MD5:	A774FFD00095B4C4079EC5868354F88F
SHA1:	FC7D79D49EF201DCB0BE40EB18EF51728F661940
SHA-256:	5E18FB1137EC72A70C4D8B3AFD628421AEC1F6E939E759E9A27F9DAD4FA7424F
SHA-512:	D7C8A5F45B1E70191528C2BC77E87EB1692CA7B87D7B58DAC7FEC93365DCFD40F9A51A64D0CAA085259374C0ADB6FD3F32C79219A12DC1A484F624A69467A3A9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1c551271-ef44-447b-8c11-32323caf4bd7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730263745402,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P10044...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...16128,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.342035409354263
Encrypted:	false
SSDEEP:	48:GUpOxrZkEtnRcoeg3U3erjxwN4Jwc3zBtT:AZNRFTMX4mc/
MD5:	A774FFD00095B4C4079EC5868354F88F
SHA1:	FC7D79D49EF201DCB0BE40EB18EF51728F661940
SHA-256:	5E18FB1137EC72A70C4D8B3AFD628421AEC1F6E939E759E9A27F9DAD4FA7424F
SHA-512:	D7C8A5F45B1E70191528C2BC77E87EB1692CA7B87D7B58DAC7FEC93365DCFD40F9A51A64D0CAA085259374C0ADB6FD3F32C79219A12DC1A484F624A69467A3A9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1c551271-ef44-447b-8c11-32323caf4bd7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730263745402,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P10044...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...16128,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.342035409354263
Encrypted:	false
SSDEEP:	48:GUpOxrZkEtnRcoeg3U3erjxwN4Jwc3zBtT:AZNRFTMX4mc/
MD5:	A774FFD00095B4C4079EC5868354F88F
SHA1:	FC7D79D49EF201DCB0BE40EB18EF51728F661940
SHA-256:	5E18FB1137EC72A70C4D8B3AFD628421AEC1F6E939E759E9A27F9DAD4FA7424F
SHA-512:	D7C8A5F45B1E70191528C2BC77E87EB1692CA7B87D7B58DAC7FEC93365DCFD40F9A51A64D0CAA085259374C0ADB6FD3F32C79219A12DC1A484F624A69467A3A9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{1c551271-ef44-447b-8c11-32323caf4bd7}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730263745402,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P10044...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...16128,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029983282502515
Encrypted:	false
SSDEEP:	96:ycOMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:RTEr5NX0z3DhRe
MD5:	1CCC74854F83ECADA72FFB696D80F61F
SHA1:	17AE955D4B411CD7D7DE66DF9731C18F775EAB2E
SHA-256:	D12CE55B07792088FD80FDC4BDA381ED199EEBA658EF2E60CBF1C05EB513D72A
SHA-512:	FFECB66F745B2E9EB8C827E619A3FA0A5207EC68C39791864436C7DAB26C3FF8602652844960150C99264B418F4EAD2632CB0E04BD27D90CB81CE835188A6E92
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T04:48:39.661Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029983282502515
Encrypted:	false
SSDEEP:	96:ycOMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:RTEr5NX0z3DhRe
MD5:	1CCC74854F83ECADA72FFB696D80F61F
SHA1:	17AE955D4B411CD7D7DE66DF9731C18F775EAB2E
SHA-256:	D12CE55B07792088FD80FDC4BDA381ED199EEBA658EF2E60CBF1C05EB513D72A
SHA-512:	FFECB66F745B2E9EB8C827E619A3FA0A5207EC68C39791864436C7DAB26C3FF8602652844960150C99264B418F4EAD2632CB0E04BD27D90CB81CE835188A6E92
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T04:48:39.661Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5846808832804395
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	59b54224956fe92c6cf81ff78616cf7f
SHA1:	6b0ef89648fd13d05bc8a4f0f1f313c5186f6454
SHA256:	bf8c8b70bc76645ba18ab3d6a37b6139ac2d298f058c519ad36d458c4ebc5607
SHA512:	827c7e406a6e9ea198b76d3e35824777b762787ccad743c0ecae84dae7cb3a0cbc254c1e208fb2bf18845a217d9035f2eb28d1314729474543da2df4a4f6133f
SSDEEP:	12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TH:3qDEvCTbMWu7rQYlBQcBiT6rprG8abH
TLSH:	3E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6721A3ED [Wed Oct 30 03:11:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F953C6E7573h
jmp 00007F953C6E6E7Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F953C6E705Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F953C6E702Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F953C6E9C1Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F953C6E9C68h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F953C6E9C51h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	035a3a2052567d816605d20cf46075ad	False	0.3157387262658228	data	5.373702649820964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 04:34:11.271600008 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.271647930 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:11.271724939 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.277177095 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.277203083 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:11.898933887 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:11.900122881 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.915199041 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.915199041 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.915227890 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:11.915407896 CET	443	49710	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:11.915844917 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.915891886 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:11.918152094 CET	49710	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.918194056 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.919672012 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:11.919683933 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:12.239159107 CET	49712	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:12.239208937 CET	443	49712	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:12.239762068 CET	49712	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:12.240925074 CET	49712	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:12.240942955 CET	443	49712	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:12.529622078 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:12.529721975 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:12.534065008 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:12.534065008 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:12.534081936 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:12.534248114 CET	443	49711	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:12.534357071 CET	49711	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:12.944420099 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:12.944463015 CET	443	49714	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:12.956651926 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:12.971497059 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:12.971514940 CET	443	49714	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.123544931 CET	443	49712	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.124978065 CET	443	49712	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.133469105 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:13.135346889 CET	443	49712	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.138262033 CET	49712	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.139796019 CET	80	49715	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:13.143212080 CET	49712	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.143223047 CET	443	49712	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.143290997 CET	49712	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.143635988 CET	443	49712	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.150192022 CET	49712	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.150408030 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:13.150408030 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:13.156591892 CET	80	49715	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:13.503803015 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:13.503832102 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:13.513969898 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:13.515460014 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:13.515472889 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:13.745948076 CET	80	49715	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:13.788286924 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:13.832622051 CET	443	49714	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.832640886 CET	443	49714	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.832700968 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.833353996 CET	443	49714	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.833409071 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.841028929 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.841041088 CET	443	49714	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.841161013 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.841249943 CET	443	49714	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.841562986 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.841604948 CET	443	49717	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.843034983 CET	49714	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.843066931 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.844568968 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:13.844580889 CET	443	49717	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:13.859832048 CET	49718	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:13.859843016 CET	443	49718	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:13.860523939 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:13.860532045 CET	443	49719	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:13.861027002 CET	49718	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:13.861041069 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:13.862416983 CET	49718	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:13.862432957 CET	443	49718	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:13.862571001 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:13.862577915 CET	443	49719	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:13.997487068 CET	49720	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:13.998441935 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:13.998486996 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:13.998548985 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:13.998692989 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:13.998713017 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.003324986 CET	80	49720	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:14.003397942 CET	49720	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.003546953 CET	49720	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.010294914 CET	80	49720	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:14.126652956 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.126672029 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.127726078 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.133090973 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.133097887 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.133164883 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.133351088 CET	443	49716	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.133428097 CET	49716	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.481533051 CET	443	49719	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:14.481622934 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:14.484338045 CET	443	49718	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.485311031 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:14.485325098 CET	443	49719	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:14.485599995 CET	443	49719	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:14.489854097 CET	49718	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.493169069 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:14.493252039 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:14.493361950 CET	443	49719	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:14.494699955 CET	49719	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:14.496236086 CET	49718	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.496249914 CET	443	49718	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.496380091 CET	49718	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.496437073 CET	443	49718	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.496499062 CET	49718	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.496865034 CET	49722	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.496931076 CET	443	49722	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.497006893 CET	49722	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.498898983 CET	49722	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:14.498917103 CET	443	49722	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:14.549868107 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.555217981 CET	80	49715	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:14.600591898 CET	80	49720	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:14.610367060 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.615334034 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.619326115 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.622936010 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.622953892 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.623224974 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.632308960 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.632446051 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.632463932 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.632477999 CET	443	49721	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.632510900 CET	49721	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.632910967 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.632946968 CET	443	49723	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.633022070 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.633163929 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:14.633177996 CET	443	49723	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:14.652623892 CET	49720	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.675108910 CET	80	49715	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:14.697068930 CET	443	49717	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:14.697473049 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:14.697782993 CET	443	49717	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:14.698129892 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:14.702843904 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:14.702852011 CET	443	49717	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:14.702971935 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:14.703006983 CET	443	49717	142.250.186.142	192.168.2.5
Oct 30, 2024 04:34:14.703058004 CET	49717	443	192.168.2.5	142.250.186.142
Oct 30, 2024 04:34:14.719290972 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.941478014 CET	49720	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.941776037 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.947895050 CET	80	49720	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:14.948293924 CET	80	49715	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:14.953180075 CET	49720	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:14.953254938 CET	49715	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.120119095 CET	443	49722	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.120868921 CET	49722	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.126243114 CET	49722	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.126243114 CET	49722	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.126255035 CET	443	49722	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.126431942 CET	443	49722	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.126746893 CET	49722	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.265923977 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.270811081 CET	443	49723	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:15.271285057 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:15.272423029 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:15.272439957 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.276153088 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:15.276174068 CET	443	49723	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:15.276247025 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.276673079 CET	443	49723	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:15.281500101 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:15.281634092 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:15.281701088 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:15.281841040 CET	443	49723	34.160.144.191	192.168.2.5
Oct 30, 2024 04:34:15.281876087 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:15.281940937 CET	49723	443	192.168.2.5	34.160.144.191
Oct 30, 2024 04:34:15.282845020 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.288157940 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:15.289210081 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.289334059 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.294251919 CET	49727	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.294282913 CET	443	49727	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.294595957 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:15.307459116 CET	49727	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.334172964 CET	49727	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.334183931 CET	443	49727	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.867053032 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:15.908549070 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:15.914244890 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:15.949048042 CET	443	49727	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.949064970 CET	443	49727	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.949120998 CET	49727	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.954410076 CET	49727	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.954422951 CET	443	49727	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.954534054 CET	49727	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.954626083 CET	443	49727	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.954926014 CET	49730	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.954958916 CET	443	49730	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.954994917 CET	49727	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.955115080 CET	49730	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.956485987 CET	49730	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:15.956496954 CET	443	49730	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:15.961061001 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:16.443160057 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:16.448574066 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:16.564728022 CET	443	49730	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:16.564841032 CET	49730	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:16.568557978 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:16.570995092 CET	49730	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:16.571000099 CET	443	49730	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:16.571105003 CET	49730	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:16.571191072 CET	443	49730	34.117.188.166	192.168.2.5
Oct 30, 2024 04:34:16.571305990 CET	49730	443	192.168.2.5	34.117.188.166
Oct 30, 2024 04:34:16.616250992 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:16.693820953 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:16.699219942 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:16.823575974 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:16.879307032 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:16.925235987 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:16.930557013 CET	49732	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:16.930613995 CET	443	49732	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:16.930684090 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:16.931256056 CET	49732	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:16.933228970 CET	49732	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:16.933254957 CET	443	49732	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:16.935405016 CET	49733	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:16.935431004 CET	443	49733	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:16.936825991 CET	49733	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:16.938529015 CET	49733	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:16.938574076 CET	443	49733	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:16.954603910 CET	49734	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:16.954647064 CET	443	49734	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:16.955418110 CET	49734	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:16.960323095 CET	49734	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:16.960335970 CET	443	49734	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:16.998577118 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:16.998625040 CET	443	49735	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:17.001386881 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:17.001563072 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:17.001574039 CET	443	49735	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:17.050134897 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:17.117729902 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:17.539547920 CET	443	49733	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:17.543535948 CET	49733	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:17.547467947 CET	49733	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:17.547473907 CET	443	49733	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:17.547568083 CET	49733	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:17.547648907 CET	443	49733	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:17.550079107 CET	49733	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:17.560683012 CET	443	49732	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:17.568967104 CET	49732	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:17.569693089 CET	443	49734	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:17.575342894 CET	443	49734	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:17.577183008 CET	49734	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:17.631109953 CET	443	49735	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:17.638408899 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:17.661587000 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:17.661602020 CET	443	49735	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:17.661950111 CET	443	49735	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:17.676796913 CET	49732	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:17.676841021 CET	443	49732	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:17.677035093 CET	49732	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:17.677459002 CET	443	49732	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:17.678441048 CET	49732	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:17.683450937 CET	49734	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:17.683474064 CET	443	49734	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:17.683533907 CET	49734	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:17.683758020 CET	443	49734	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:17.689138889 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:17.689182043 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:17.689420938 CET	443	49735	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:17.690500975 CET	49734	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:17.690515995 CET	49735	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:19.384880066 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:19.390343904 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:19.413872004 CET	49751	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.413923025 CET	443	49751	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:19.414709091 CET	49751	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.416188955 CET	49751	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.416204929 CET	443	49751	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:19.423249006 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.423291922 CET	443	49752	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:19.427442074 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.427709103 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.427728891 CET	443	49752	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:19.433063030 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.433114052 CET	443	49753	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:19.433304071 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.433562994 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:19.433595896 CET	443	49753	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:19.514834881 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:19.518790007 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:19.524226904 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:19.565958023 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:19.643523932 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:19.697529078 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:20.019728899 CET	443	49751	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:20.027213097 CET	49751	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:20.033804893 CET	443	49752	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:20.042706966 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:20.052932024 CET	443	49753	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:20.063329935 CET	443	49753	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:20.069773912 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:20.087733030 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.026596069 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.026628017 CET	443	49752	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:21.027827024 CET	443	49752	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:21.029052019 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.029114008 CET	443	49753	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:21.029429913 CET	443	49753	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:21.032532930 CET	49751	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.032551050 CET	443	49751	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:21.032808065 CET	49751	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.032866955 CET	443	49751	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:21.034452915 CET	49751	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.074310064 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.074579954 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.422035933 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.422180891 CET	49753	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.422614098 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.422688961 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:21.422904015 CET	443	49752	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:21.428658009 CET	49752	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:25.137758017 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:25.143110991 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:25.145176888 CET	49787	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:25.145216942 CET	443	49787	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:25.152548075 CET	49787	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:25.157862902 CET	49787	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:25.157876968 CET	443	49787	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:25.267081022 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:25.288713932 CET	49789	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:25.288748026 CET	443	49789	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:25.289697886 CET	49789	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:25.291106939 CET	49789	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:25.291121960 CET	443	49789	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:25.321393967 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:25.429928064 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:25.435204029 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:25.554053068 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:25.600157976 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:25.766216993 CET	443	49787	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:25.766231060 CET	443	49787	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:25.766284943 CET	49787	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:25.889385939 CET	443	49789	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:25.889939070 CET	49789	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:26.318126917 CET	49787	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:26.318140030 CET	443	49787	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:26.318214893 CET	49787	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:26.318341017 CET	49789	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:26.318363905 CET	443	49789	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:26.318377972 CET	49789	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:26.318378925 CET	443	49787	34.120.208.123	192.168.2.5
Oct 30, 2024 04:34:26.318542957 CET	49787	443	192.168.2.5	34.120.208.123
Oct 30, 2024 04:34:26.318666935 CET	443	49789	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:26.319061995 CET	49789	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:27.159697056 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:27.165800095 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:27.290095091 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:27.293138027 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:27.298451900 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:27.342799902 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:27.417428017 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:27.458736897 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:37.302966118 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:37.308253050 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:37.418889999 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:37.424197912 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:37.466152906 CET	49859	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:37.466171026 CET	443	49859	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:37.466782093 CET	49859	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:37.468338013 CET	49859	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:37.468348980 CET	443	49859	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:38.074341059 CET	443	49859	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:38.074455023 CET	49859	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:38.080054998 CET	49859	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:38.080066919 CET	443	49859	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:38.080173969 CET	49859	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:38.080240965 CET	443	49859	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:38.080986977 CET	49859	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:38.083292007 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:38.089423895 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:38.213129997 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:38.217078924 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:38.222429991 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:38.259037971 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:38.341566086 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:38.390588999 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:39.892354965 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:39.892395973 CET	443	49873	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:39.894779921 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:39.894913912 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:39.894939899 CET	443	49873	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:39.901325941 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:39.901407003 CET	443	49874	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:39.902239084 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:39.902360916 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:39.902395010 CET	443	49874	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:39.903328896 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:39.903337002 CET	443	49875	151.101.193.91	192.168.2.5
Oct 30, 2024 04:34:39.903923035 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:39.904056072 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:39.904069901 CET	443	49875	151.101.193.91	192.168.2.5
Oct 30, 2024 04:34:39.924514055 CET	49876	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:39.924555063 CET	443	49876	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:39.926506996 CET	49876	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:39.927967072 CET	49876	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:39.927987099 CET	443	49876	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:39.942950964 CET	49877	443	192.168.2.5	35.201.103.21
Oct 30, 2024 04:34:39.942991018 CET	443	49877	35.201.103.21	192.168.2.5
Oct 30, 2024 04:34:39.946805954 CET	49877	443	192.168.2.5	35.201.103.21
Oct 30, 2024 04:34:39.948267937 CET	49877	443	192.168.2.5	35.201.103.21
Oct 30, 2024 04:34:39.948286057 CET	443	49877	35.201.103.21	192.168.2.5
Oct 30, 2024 04:34:40.509027004 CET	443	49873	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.509222031 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.512098074 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.512115002 CET	443	49873	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.512157917 CET	443	49875	151.101.193.91	192.168.2.5
Oct 30, 2024 04:34:40.512375116 CET	443	49873	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.512453079 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:40.514879942 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:40.514884949 CET	443	49875	151.101.193.91	192.168.2.5
Oct 30, 2024 04:34:40.515201092 CET	443	49875	151.101.193.91	192.168.2.5
Oct 30, 2024 04:34:40.516115904 CET	443	49874	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:40.516638994 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.516735077 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.516804934 CET	443	49873	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.518100977 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:40.518155098 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:40.518454075 CET	443	49875	151.101.193.91	192.168.2.5
Oct 30, 2024 04:34:40.522279978 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:40.522296906 CET	49873	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.522300959 CET	49875	443	192.168.2.5	151.101.193.91
Oct 30, 2024 04:34:40.522336960 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.525160074 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.525201082 CET	443	49874	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:40.525430918 CET	443	49874	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:40.526509047 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:40.528374910 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.528445005 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.528542042 CET	443	49874	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:40.528820038 CET	49874	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.530600071 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.530642986 CET	443	49881	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.531011105 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.531143904 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.531172037 CET	443	49881	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.531795025 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:40.533472061 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.533495903 CET	443	49882	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.534476995 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.534569979 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.534583092 CET	443	49882	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.535883904 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.535913944 CET	443	49883	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.536413908 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.536541939 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:40.536567926 CET	443	49883	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:40.537678003 CET	443	49876	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:40.537755966 CET	49876	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:40.542236090 CET	49876	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:40.542242050 CET	443	49876	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:40.542318106 CET	49876	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:40.542429924 CET	443	49876	35.190.72.216	192.168.2.5
Oct 30, 2024 04:34:40.542690992 CET	49876	443	192.168.2.5	35.190.72.216
Oct 30, 2024 04:34:40.580312014 CET	443	49877	35.201.103.21	192.168.2.5
Oct 30, 2024 04:34:40.580627918 CET	49877	443	192.168.2.5	35.201.103.21
Oct 30, 2024 04:34:40.588433981 CET	49877	443	192.168.2.5	35.201.103.21
Oct 30, 2024 04:34:40.588449955 CET	443	49877	35.201.103.21	192.168.2.5
Oct 30, 2024 04:34:40.588521004 CET	49877	443	192.168.2.5	35.201.103.21
Oct 30, 2024 04:34:40.588768959 CET	443	49877	35.201.103.21	192.168.2.5
Oct 30, 2024 04:34:40.597217083 CET	49877	443	192.168.2.5	35.201.103.21
Oct 30, 2024 04:34:40.612263918 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.612277985 CET	443	49884	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:40.612407923 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.612550020 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:40.612560034 CET	443	49884	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:40.656759977 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:40.660456896 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:40.665802956 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:40.713057995 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:40.785586119 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:40.829045057 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:41.131742001 CET	443	49882	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.132077932 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.135847092 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.135857105 CET	443	49882	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.136128902 CET	443	49882	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.138184071 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.138242006 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.138366938 CET	443	49882	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.138581038 CET	49882	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.141204119 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:41.146461964 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:41.147587061 CET	443	49881	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.148595095 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.148745060 CET	443	49883	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.148801088 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.151335955 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.151345015 CET	443	49881	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.151607037 CET	443	49881	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.153698921 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.153707981 CET	443	49883	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.153985023 CET	443	49883	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.157145023 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.157233953 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.157325029 CET	443	49881	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.157461882 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.157510996 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.157622099 CET	443	49883	35.244.181.201	192.168.2.5
Oct 30, 2024 04:34:41.158387899 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.158401012 CET	49881	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.158411026 CET	49883	443	192.168.2.5	35.244.181.201
Oct 30, 2024 04:34:41.232959986 CET	443	49884	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:41.234739065 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:41.237513065 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:41.237519979 CET	443	49884	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:41.237859964 CET	443	49884	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:41.239917040 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:41.240022898 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:41.240114927 CET	443	49884	34.149.100.209	192.168.2.5
Oct 30, 2024 04:34:41.240195990 CET	49884	443	192.168.2.5	34.149.100.209
Oct 30, 2024 04:34:41.270406961 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:41.274281979 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:41.279624939 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:41.314843893 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:41.398508072 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:41.446410894 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:51.273585081 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:51.278889894 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:51.411647081 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:51.416992903 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:58.270693064 CET	49988	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:58.270720005 CET	443	49988	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:58.270944118 CET	49988	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:58.272358894 CET	49988	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:58.272372961 CET	443	49988	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:58.880531073 CET	443	49988	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:58.880601883 CET	49988	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:58.884207010 CET	49988	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:58.884222031 CET	443	49988	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:58.884314060 CET	49988	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:58.884424925 CET	443	49988	34.107.243.93	192.168.2.5
Oct 30, 2024 04:34:58.885742903 CET	49988	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:34:58.886977911 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:58.892292023 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:59.017453909 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:59.020597935 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:59.025990009 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:59.064708948 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:34:59.144860029 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:34:59.196249008 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:09.025501966 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:09.031112909 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:09.148072004 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:09.153597116 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:16.332391977 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:16.337790012 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:16.461870909 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:16.467787027 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:16.473124027 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:16.514897108 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:16.592343092 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:16.646456003 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:26.474021912 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:26.479391098 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:26.596231937 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:26.601701021 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:36.486952066 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:36.492407084 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:36.625061035 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:36.630527973 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:38.905719042 CET	50024	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:35:38.905762911 CET	443	50024	34.107.243.93	192.168.2.5
Oct 30, 2024 04:35:38.905922890 CET	50024	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:35:38.907458067 CET	50024	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:35:38.907476902 CET	443	50024	34.107.243.93	192.168.2.5
Oct 30, 2024 04:35:39.514420033 CET	443	50024	34.107.243.93	192.168.2.5
Oct 30, 2024 04:35:39.514600039 CET	50024	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:35:39.519479990 CET	50024	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:35:39.519488096 CET	443	50024	34.107.243.93	192.168.2.5
Oct 30, 2024 04:35:39.519602060 CET	50024	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:35:39.519634962 CET	443	50024	34.107.243.93	192.168.2.5
Oct 30, 2024 04:35:39.519726038 CET	50024	443	192.168.2.5	34.107.243.93
Oct 30, 2024 04:35:39.522300005 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:39.527621031 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:39.651792049 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:39.655338049 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:39.660875082 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:39.696337938 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:39.780088902 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:39.834418058 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:49.661986113 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:49.667412043 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:49.793653965 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:49.799031019 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:59.667969942 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:59.673438072 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:35:59.806087971 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:35:59.811654091 CET	80	49725	34.107.221.82	192.168.2.5
Oct 30, 2024 04:36:09.681874990 CET	49726	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:36:09.687208891 CET	80	49726	34.107.221.82	192.168.2.5
Oct 30, 2024 04:36:09.813456059 CET	49725	80	192.168.2.5	34.107.221.82
Oct 30, 2024 04:36:09.818842888 CET	80	49725	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 04:34:11.272207975 CET	49676	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:11.279970884 CET	53	49676	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:11.280949116 CET	52586	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:11.289068937 CET	53	52586	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:12.229418039 CET	57800	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:12.237163067 CET	53	57800	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:12.239155054 CET	61278	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:12.246383905 CET	53	61278	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:12.248961926 CET	50365	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:12.256290913 CET	53	50365	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:12.428211927 CET	54172	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:12.455843925 CET	58049	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:12.466365099 CET	53	58049	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:12.466998100 CET	51837	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:12.476269960 CET	53	51837	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.491559982 CET	52576	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.498838902 CET	53	52576	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.504745007 CET	59781	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.512083054 CET	53	59781	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.516134024 CET	65163	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.525245905 CET	53	65163	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.845123053 CET	56477	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.853560925 CET	53	56477	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.854794025 CET	50779	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.856620073 CET	50802	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.863281965 CET	53	50779	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.865941048 CET	53	50802	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.876257896 CET	59032	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.876698971 CET	52530	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.883852959 CET	53	59032	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.884180069 CET	53	52530	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.884689093 CET	51938	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.885442972 CET	54408	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.892338037 CET	53	51938	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.892652988 CET	53	54408	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.986673117 CET	61528	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.987665892 CET	53392	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:13.996840000 CET	53	53392	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:13.998789072 CET	60588	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:14.006613970 CET	53	60588	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:14.009459972 CET	55722	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:14.017275095 CET	53	55722	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:15.841811895 CET	65212	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:15.881681919 CET	53	49448	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.796761990 CET	57260	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:16.805145979 CET	53	57260	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.806890011 CET	59558	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:16.814428091 CET	53	59558	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.817478895 CET	50071	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:16.824769020 CET	53	50071	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.935988903 CET	53582	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:16.943857908 CET	53	53582	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.945245981 CET	62149	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:16.946389914 CET	57953	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:16.953577042 CET	53	62149	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.953596115 CET	53	57953	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.955337048 CET	53363	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:16.963710070 CET	53	53363	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:16.993705988 CET	60434	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:17.001832008 CET	53	60434	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:19.387890100 CET	59452	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:19.395339966 CET	53	59452	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:19.417463064 CET	60110	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:19.425179958 CET	53	60110	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:19.429718971 CET	50253	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:19.437427044 CET	53	50253	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:25.147772074 CET	53023	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:25.155244112 CET	53	53023	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:25.289064884 CET	57427	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:25.296310902 CET	53	57427	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.160187006 CET	65200	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.160422087 CET	58733	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.161459923 CET	52967	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.168456078 CET	53	65200	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.168864965 CET	53	52967	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.168906927 CET	53	58733	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.169174910 CET	60930	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.169507980 CET	51699	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.169596910 CET	58690	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.176368952 CET	53	60930	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.176773071 CET	53	58690	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.176887035 CET	61928	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.177233934 CET	53	51699	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.177362919 CET	60086	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.177752972 CET	65471	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.184185028 CET	53	61928	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.184346914 CET	53	60086	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.184722900 CET	64997	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.185148001 CET	57725	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.185334921 CET	53	65471	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.192142963 CET	53	64997	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.192604065 CET	53	57725	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.192681074 CET	60465	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.193234921 CET	63294	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.200643063 CET	53	60465	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.201116085 CET	55709	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.201239109 CET	53	63294	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.201653004 CET	61824	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:27.208779097 CET	53	61824	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:27.209633112 CET	53	55709	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:37.466523886 CET	50063	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:37.473789930 CET	53	50063	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:38.083523989 CET	52276	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.892366886 CET	53894	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.892905951 CET	49555	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.900026083 CET	53	53894	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:39.900885105 CET	53	49555	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:39.903860092 CET	55518	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.911266088 CET	53	55518	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:39.923171997 CET	58811	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.930691957 CET	53	58811	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:39.931827068 CET	58472	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.939686060 CET	53	58472	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:39.943496943 CET	58326	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.951695919 CET	53	58326	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:39.965384007 CET	56235	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:39.972670078 CET	53	56235	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:58.269706011 CET	57131	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:58.276787043 CET	53	57131	1.1.1.1	192.168.2.5
Oct 30, 2024 04:34:58.279386044 CET	49411	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:34:58.286618948 CET	53	49411	1.1.1.1	192.168.2.5
Oct 30, 2024 04:35:16.332701921 CET	51928	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:35:38.896676064 CET	51063	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:35:38.904652119 CET	53	51063	1.1.1.1	192.168.2.5
Oct 30, 2024 04:35:38.905653954 CET	55167	53	192.168.2.5	1.1.1.1
Oct 30, 2024 04:35:38.912971973 CET	53	55167	1.1.1.1	192.168.2.5
Oct 30, 2024 04:35:39.522481918 CET	57463	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 04:34:11.272207975 CET	192.168.2.5	1.1.1.1	0xf746	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:11.280949116 CET	192.168.2.5	1.1.1.1	0xc2b5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:12.229418039 CET	192.168.2.5	1.1.1.1	0x6b3e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.239155054 CET	192.168.2.5	1.1.1.1	0x459	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.248961926 CET	192.168.2.5	1.1.1.1	0x23af	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:12.428211927 CET	192.168.2.5	1.1.1.1	0xb3c2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.455843925 CET	192.168.2.5	1.1.1.1	0x9a52	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.466998100 CET	192.168.2.5	1.1.1.1	0xb626	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:13.491559982 CET	192.168.2.5	1.1.1.1	0x2065	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.504745007 CET	192.168.2.5	1.1.1.1	0xf244	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.516134024 CET	192.168.2.5	1.1.1.1	0x71de	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:13.845123053 CET	192.168.2.5	1.1.1.1	0xaff1	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.854794025 CET	192.168.2.5	1.1.1.1	0x80e7	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.856620073 CET	192.168.2.5	1.1.1.1	0x7294	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.876257896 CET	192.168.2.5	1.1.1.1	0xd580	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.876698971 CET	192.168.2.5	1.1.1.1	0x56fb	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.884689093 CET	192.168.2.5	1.1.1.1	0x2c85	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:13.885442972 CET	192.168.2.5	1.1.1.1	0xae78	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:13.986673117 CET	192.168.2.5	1.1.1.1	0x96cb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.987665892 CET	192.168.2.5	1.1.1.1	0xf57a	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.998789072 CET	192.168.2.5	1.1.1.1	0xf54a	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:14.009459972 CET	192.168.2.5	1.1.1.1	0x7150	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:15.841811895 CET	192.168.2.5	1.1.1.1	0x7f2e	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.796761990 CET	192.168.2.5	1.1.1.1	0x6f6a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.806890011 CET	192.168.2.5	1.1.1.1	0x9d6f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.817478895 CET	192.168.2.5	1.1.1.1	0xdf43	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:16.935988903 CET	192.168.2.5	1.1.1.1	0x84b3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.945245981 CET	192.168.2.5	1.1.1.1	0x2f2b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:16.946389914 CET	192.168.2.5	1.1.1.1	0x509c	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.955337048 CET	192.168.2.5	1.1.1.1	0x1ac1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.993705988 CET	192.168.2.5	1.1.1.1	0x350	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:19.387890100 CET	192.168.2.5	1.1.1.1	0xb03	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:19.417463064 CET	192.168.2.5	1.1.1.1	0xdfb5	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:19.429718971 CET	192.168.2.5	1.1.1.1	0x3acd	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:25.147772074 CET	192.168.2.5	1.1.1.1	0x67af	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:25.289064884 CET	192.168.2.5	1.1.1.1	0x2bf3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:27.160187006 CET	192.168.2.5	1.1.1.1	0xb6d5	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.160422087 CET	192.168.2.5	1.1.1.1	0x219b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.161459923 CET	192.168.2.5	1.1.1.1	0x437a	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.169174910 CET	192.168.2.5	1.1.1.1	0x9da1	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.169507980 CET	192.168.2.5	1.1.1.1	0x8cc2	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.169596910 CET	192.168.2.5	1.1.1.1	0x6e3f	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176887035 CET	192.168.2.5	1.1.1.1	0xccb0	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:27.177362919 CET	192.168.2.5	1.1.1.1	0x3d57	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:27.177752972 CET	192.168.2.5	1.1.1.1	0xa136	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 30, 2024 04:34:27.184722900 CET	192.168.2.5	1.1.1.1	0x20db	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.185148001 CET	192.168.2.5	1.1.1.1	0x383a	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.192681074 CET	192.168.2.5	1.1.1.1	0x8dab	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.193234921 CET	192.168.2.5	1.1.1.1	0x779e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.201116085 CET	192.168.2.5	1.1.1.1	0xb103	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:27.201653004 CET	192.168.2.5	1.1.1.1	0x190a	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:37.466523886 CET	192.168.2.5	1.1.1.1	0x1a5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:38.083523989 CET	192.168.2.5	1.1.1.1	0x28e3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.892366886 CET	192.168.2.5	1.1.1.1	0xf7d5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 04:34:39.892905951 CET	192.168.2.5	1.1.1.1	0x892b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.903860092 CET	192.168.2.5	1.1.1.1	0x204b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.923171997 CET	192.168.2.5	1.1.1.1	0xc39f	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 30, 2024 04:34:39.931827068 CET	192.168.2.5	1.1.1.1	0x9e67	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.943496943 CET	192.168.2.5	1.1.1.1	0x44d2	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.965384007 CET	192.168.2.5	1.1.1.1	0xe9e2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:34:58.269706011 CET	192.168.2.5	1.1.1.1	0x36f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:58.279386044 CET	192.168.2.5	1.1.1.1	0x7c4c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:35:16.332701921 CET	192.168.2.5	1.1.1.1	0x8578	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:35:38.896676064 CET	192.168.2.5	1.1.1.1	0xd99d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:35:38.905653954 CET	192.168.2.5	1.1.1.1	0x3427	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 04:35:39.522481918 CET	192.168.2.5	1.1.1.1	0xa8b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 04:34:11.269170046 CET	1.1.1.1	192.168.2.5	0xb2dd	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:11.279970884 CET	1.1.1.1	192.168.2.5	0xf746	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.237163067 CET	1.1.1.1	192.168.2.5	0x6b3e	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.246383905 CET	1.1.1.1	192.168.2.5	0x459	No error (0)	youtube.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.256290913 CET	1.1.1.1	192.168.2.5	0x23af	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 30, 2024 04:34:12.439763069 CET	1.1.1.1	192.168.2.5	0xb3c2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:12.439763069 CET	1.1.1.1	192.168.2.5	0xb3c2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.466365099 CET	1.1.1.1	192.168.2.5	0x9a52	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:12.476269960 CET	1.1.1.1	192.168.2.5	0xb626	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 04:34:13.498838902 CET	1.1.1.1	192.168.2.5	0x2065	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.512083054 CET	1.1.1.1	192.168.2.5	0xf244	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.853560925 CET	1.1.1.1	192.168.2.5	0xaff1	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:13.853560925 CET	1.1.1.1	192.168.2.5	0xaff1	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.853643894 CET	1.1.1.1	192.168.2.5	0x86c6	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:13.853643894 CET	1.1.1.1	192.168.2.5	0x86c6	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.863281965 CET	1.1.1.1	192.168.2.5	0x80e7	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.865941048 CET	1.1.1.1	192.168.2.5	0x7294	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.865941048 CET	1.1.1.1	192.168.2.5	0x7294	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.883852959 CET	1.1.1.1	192.168.2.5	0xd580	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.884180069 CET	1.1.1.1	192.168.2.5	0x56fb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.996582031 CET	1.1.1.1	192.168.2.5	0x96cb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:13.996582031 CET	1.1.1.1	192.168.2.5	0x96cb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:13.996840000 CET	1.1.1.1	192.168.2.5	0xf57a	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:13.996840000 CET	1.1.1.1	192.168.2.5	0xf57a	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:13.996840000 CET	1.1.1.1	192.168.2.5	0xf57a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:14.006613970 CET	1.1.1.1	192.168.2.5	0xf54a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:14.017275095 CET	1.1.1.1	192.168.2.5	0x7150	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 04:34:15.849467039 CET	1.1.1.1	192.168.2.5	0x7f2e	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:16.805145979 CET	1.1.1.1	192.168.2.5	0x6f6a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.814428091 CET	1.1.1.1	192.168.2.5	0x9d6f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.924424887 CET	1.1.1.1	192.168.2.5	0x7a2e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.943857908 CET	1.1.1.1	192.168.2.5	0x84b3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.953596115 CET	1.1.1.1	192.168.2.5	0x509c	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:16.953596115 CET	1.1.1.1	192.168.2.5	0x509c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.963710070 CET	1.1.1.1	192.168.2.5	0x1ac1	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:16.981004953 CET	1.1.1.1	192.168.2.5	0x4891	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:16.981004953 CET	1.1.1.1	192.168.2.5	0x4891	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:19.394695044 CET	1.1.1.1	192.168.2.5	0x1960	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:19.395339966 CET	1.1.1.1	192.168.2.5	0xb03	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:19.395339966 CET	1.1.1.1	192.168.2.5	0xb03	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:19.395339966 CET	1.1.1.1	192.168.2.5	0xb03	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:19.425179958 CET	1.1.1.1	192.168.2.5	0xdfb5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168456078 CET	1.1.1.1	192.168.2.5	0xb6d5	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168864965 CET	1.1.1.1	192.168.2.5	0x437a	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168864965 CET	1.1.1.1	192.168.2.5	0x437a	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168906927 CET	1.1.1.1	192.168.2.5	0x219b	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:27.168906927 CET	1.1.1.1	192.168.2.5	0x219b	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176368952 CET	1.1.1.1	192.168.2.5	0x9da1	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.176773071 CET	1.1.1.1	192.168.2.5	0x6e3f	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.177233934 CET	1.1.1.1	192.168.2.5	0x8cc2	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.184185028 CET	1.1.1.1	192.168.2.5	0xccb0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 04:34:27.184185028 CET	1.1.1.1	192.168.2.5	0xccb0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 04:34:27.184185028 CET	1.1.1.1	192.168.2.5	0xccb0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 04:34:27.184185028 CET	1.1.1.1	192.168.2.5	0xccb0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 04:34:27.184346914 CET	1.1.1.1	192.168.2.5	0x3d57	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 30, 2024 04:34:27.185334921 CET	1.1.1.1	192.168.2.5	0xa136	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 30, 2024 04:34:27.192142963 CET	1.1.1.1	192.168.2.5	0x20db	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:27.192142963 CET	1.1.1.1	192.168.2.5	0x20db	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.192142963 CET	1.1.1.1	192.168.2.5	0x20db	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.192142963 CET	1.1.1.1	192.168.2.5	0x20db	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.192142963 CET	1.1.1.1	192.168.2.5	0x20db	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.192604065 CET	1.1.1.1	192.168.2.5	0x383a	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.200643063 CET	1.1.1.1	192.168.2.5	0x8dab	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.200643063 CET	1.1.1.1	192.168.2.5	0x8dab	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.200643063 CET	1.1.1.1	192.168.2.5	0x8dab	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.200643063 CET	1.1.1.1	192.168.2.5	0x8dab	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:27.201239109 CET	1.1.1.1	192.168.2.5	0x779e	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:38.091391087 CET	1.1.1.1	192.168.2.5	0x28e3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:38.091391087 CET	1.1.1.1	192.168.2.5	0x28e3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.900885105 CET	1.1.1.1	192.168.2.5	0x892b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.900885105 CET	1.1.1.1	192.168.2.5	0x892b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.900885105 CET	1.1.1.1	192.168.2.5	0x892b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.900885105 CET	1.1.1.1	192.168.2.5	0x892b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.911266088 CET	1.1.1.1	192.168.2.5	0x204b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.911266088 CET	1.1.1.1	192.168.2.5	0x204b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.911266088 CET	1.1.1.1	192.168.2.5	0x204b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.911266088 CET	1.1.1.1	192.168.2.5	0x204b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.930691957 CET	1.1.1.1	192.168.2.5	0xc39f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 04:34:39.930691957 CET	1.1.1.1	192.168.2.5	0xc39f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 04:34:39.930691957 CET	1.1.1.1	192.168.2.5	0xc39f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 04:34:39.930691957 CET	1.1.1.1	192.168.2.5	0xc39f	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 04:34:39.939686060 CET	1.1.1.1	192.168.2.5	0x9e67	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:39.939686060 CET	1.1.1.1	192.168.2.5	0x9e67	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:39.951695919 CET	1.1.1.1	192.168.2.5	0x44d2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:34:41.171185017 CET	1.1.1.1	192.168.2.5	0x4503	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:41.171185017 CET	1.1.1.1	192.168.2.5	0x4503	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:34:58.276787043 CET	1.1.1.1	192.168.2.5	0x36f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:35:16.339802980 CET	1.1.1.1	192.168.2.5	0x8578	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:35:16.339802980 CET	1.1.1.1	192.168.2.5	0x8578	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:35:38.904652119 CET	1.1.1.1	192.168.2.5	0xd99d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 04:35:39.529496908 CET	1.1.1.1	192.168.2.5	0xa8b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 04:35:39.529496908 CET	1.1.1.1	192.168.2.5	0xa8b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:34:13.150408030 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:13.745948076 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49796 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:14.549868107 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:14.675108910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49797 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:34:14.003546953 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:14.600591898 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40723 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:34:15.276247025 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:15.867053032 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40724 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:16.443160057 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:16.568557978 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40725 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:16.925235987 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:17.050134897 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40725 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:19.518790007 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:19.643523932 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40728 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:25.429928064 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:25.554053068 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40734 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:27.293138027 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:27.417428017 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40736 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:37.418889999 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:34:38.217078924 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:38.341566086 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40747 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:40.660456896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:40.785586119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40749 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:41.274281979 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:41.398508072 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40750 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:34:51.411647081 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:34:59.020597935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:34:59.144860029 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40768 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:35:09.148072004 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:16.467787027 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:35:16.592343092 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40785 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:35:26.596231937 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:36.625061035 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:39.655338049 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 04:35:39.780088902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 40808 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 04:35:49.793653965 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:59.806087971 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:36:09.813456059 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49726	34.107.221.82	80	7148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 04:34:15.289334059 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:15.908549070 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49798 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:16.693820953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:16.823575974 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49799 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:19.384880066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:19.514834881 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49802 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:25.137758017 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:25.267081022 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49808 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:27.159697056 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:27.290095091 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49810 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:37.302966118 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:34:38.083292007 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:38.213129997 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49821 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:40.526509047 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:40.656759977 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49823 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:41.141204119 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:41.270406961 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49824 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:34:51.273585081 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:34:58.886977911 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:34:59.017453909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49841 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:35:09.025501966 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:16.332391977 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:35:16.461870909 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49859 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:35:26.474021912 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:36.486952066 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:39.522300005 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 04:35:39.651792049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 49882 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 04:35:49.661986113 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:35:59.667969942 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 04:36:09.681874990 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	23:34:05
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x910000
File size:	919'552 bytes
MD5 hash:	59B54224956FE92C6CF81FF78616CF7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2173903998.000000000109F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:34:05
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:34:05
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:34:07
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:34:08
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:34:08
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:34:08
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:34:09
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab10e24-fd26-47a6-a30f-3c3a34f93290} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c7d370710 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	23:34:11
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -parentBuildID 20230927232528 -prefsHandle 4360 -prefMapHandle 3924 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1310df77-ec61-4df6-93b3-c28fa807be12} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c151fae10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	23:34:16
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5032 -prefMapHandle 5052 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a0a801-27a0-47f3-8aa4-31142e5b059f} 7148 "\\.\pipe\gecko-crash-server-pipe.7148" 18c15983510 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	1572
Total number of Limit Nodes:	54

Executed Functions

Function 009142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0091430D

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

GetCurrentProcess.KERNEL32(?,009ACB64,00000000,?,?), ref: 00914422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00914429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00914454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00914466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00914474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0091447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009144A0

Strings

GetNativeSystemInfo, xrefs: 00914460
|O, xrefs: 009536F8
kernel32.dll, xrefs: 0091444F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 59174b2b3e8b175201c2c7ecb44d0979816e8902a77670d40cfe6b728972c99c
Instruction ID: 8dbac7ff0bf77d9aed00edbe0b124db21a0bc9ab5a248b4b9eab696236b91aa8
Opcode Fuzzy Hash: 59174b2b3e8b175201c2c7ecb44d0979816e8902a77670d40cfe6b728972c99c
Instruction Fuzzy Hash: 64A1D671A3E2C4CFC711C7697CC16D97FE86B2A741B08A899E4419FA62D2344D88EB71

Function 009142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009150AA,?,?,00000000,00000000), ref: 009142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009150AA,?,?,00000000,00000000), ref: 009142C9
LoadResource.KERNEL32(?,00000000,?,?,009150AA,?,?,00000000,00000000,?,?,?,?,?,?,00914F20), ref: 009535BE
SizeofResource.KERNEL32(?,00000000,?,?,009150AA,?,?,00000000,00000000,?,?,?,?,?,?,00914F20), ref: 009535D3
LockResource.KERNEL32(009150AA,?,?,009150AA,?,?,00000000,00000000,?,?,?,?,?,?,00914F20,?), ref: 009535E6

Strings

SCRIPT, xrefs: 009142BF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 70cf2ec84d032aba1b70c54b0568cd535e491c5cb26e331c3e8207209e02f19c
Instruction ID: 8fb9ded0277207578b36d272ad5f20ebc232cb383fe3fbabb41bd6fb045cfe47
Opcode Fuzzy Hash: 70cf2ec84d032aba1b70c54b0568cd535e491c5cb26e331c3e8207209e02f19c
Instruction Fuzzy Hash: 46117CB0300704BFD7218B65DC48F677BBEEFCAB51F108569B8229A250DB71D8409660

Function 00952BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00912B6B

Part of subcall function 00913A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009E1418,?,00912E7F,?,?,?,00000000), ref: 00913A78

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,009D2224), ref: 00952C10
ShellExecuteW.SHELL32(00000000,?,?,009D2224), ref: 00952C17

Strings

runas, xrefs: 00952C0B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a261a1e29b79507bfc6da9b8704300bc4198f531e44a64fab8fd78da826e5bac
Instruction ID: dfde6272ace22e109ef1f35b947ecbd66755aacc78eef795826fb0f49d1d7bcc
Opcode Fuzzy Hash: a261a1e29b79507bfc6da9b8704300bc4198f531e44a64fab8fd78da826e5bac
Instruction Fuzzy Hash: 1211D23134C3496AC715FF20D851AFE77A89FD2310F44442DB192061A2DF308A8A9752

Function 0097D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0097D501
Process32FirstW.KERNEL32(00000000,?), ref: 0097D50F
Process32NextW.KERNEL32(00000000,?), ref: 0097D52F
CloseHandle.KERNELBASE(00000000), ref: 0097D5DC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 21d9fe7a60f85a2f422af4b87cbd67acce7a8bfa0440690135c2569fd8078f5b
Instruction ID: 78408d8f5f8374f0c34f8bcf4456a84c7c31223a3bc6c68867acb101c8c8e16d
Opcode Fuzzy Hash: 21d9fe7a60f85a2f422af4b87cbd67acce7a8bfa0440690135c2569fd8078f5b
Instruction Fuzzy Hash: 0F31A2722083049FD301EF54C891BAFBBF8EFD9354F14492DF589861A1EB71A985CB92

Function 0097DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00955222), ref: 0097DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0097DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0097DBEE
FindClose.KERNEL32(00000000), ref: 0097DBFA

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: fdd5aa761573f73852f9cc981876e58f73cd9b61c67ad40f0fb93310bc16b063
Instruction ID: e4f39111d91b1a0b4e310ea0c9e087ca2f14cea5b25a827a1cc6184bfc5c9d4c
Opcode Fuzzy Hash: fdd5aa761573f73852f9cc981876e58f73cd9b61c67ad40f0fb93310bc16b063
Instruction Fuzzy Hash: 9AF02B728299105782216B7CEC0D8AA37BC9E03334B188702FCBAC20F0EFB09D54D6D5

Function 00934CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009428E9,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002,00000000,?,009428E9), ref: 00934D09
TerminateProcess.KERNEL32(00000000,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002,00000000,?,009428E9), ref: 00934D10
ExitProcess.KERNEL32 ref: 00934D22

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8c6ccaf0efb8537f7ca3d10051dfaf47f7e090751d4c73edf64001b505409e87
Instruction ID: 60c7011f2a22f4f49c79c33a1accd7156217dcbf43829161bc7b37d639217d07
Opcode Fuzzy Hash: 8c6ccaf0efb8537f7ca3d10051dfaf47f7e090751d4c73edf64001b505409e87
Instruction Fuzzy Hash: C1E0B671014148BBCF11AF64DD0AA593B69EF82785F118014FC199E172CB35FD42DF80

Function 0099AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0099B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0099B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0099B1D4
_wcslen.LIBCMT ref: 0099B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0099B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0099B236
_wcslen.LIBCMT ref: 0099B332

Part of subcall function 009805A7: GetStdHandle.KERNEL32(000000F6), ref: 009805C6

_wcslen.LIBCMT ref: 0099B34B
_wcslen.LIBCMT ref: 0099B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0099B3B6
GetLastError.KERNEL32(00000000), ref: 0099B407
CloseHandle.KERNEL32(?), ref: 0099B439
CloseHandle.KERNEL32(00000000), ref: 0099B44A
CloseHandle.KERNEL32(00000000), ref: 0099B45C
CloseHandle.KERNEL32(00000000), ref: 0099B46E
CloseHandle.KERNEL32(?), ref: 0099B4E3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: aa6348a3aa1beedb5175a495ace5e2b68019296d6121c4336db4ad317d1379e0
Instruction ID: 09fbe93ef56ec4d917b98346188e5b9e6f41d067d1e435d5bc24d5f405cddf71
Opcode Fuzzy Hash: aa6348a3aa1beedb5175a495ace5e2b68019296d6121c4336db4ad317d1379e0
Instruction Fuzzy Hash: 94F1BE316083009FCB14EF28D991B6EBBE5AFC5710F14895DF8998B2A2DB35EC44CB52

Function 0091D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0091D807
timeGetTime.WINMM ref: 0091DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0091DB28
TranslateMessage.USER32(?), ref: 0091DB7B
DispatchMessageW.USER32(?), ref: 0091DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0091DB9F
Sleep.KERNELBASE(0000000A), ref: 0091DBB1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 709c0bf18f45daac3b3a4b8c647639c489d7d51dfb28116bf7ccdcb11725583a
Instruction ID: af4022b48618a324012f764954c870abbb32de1ee41a7b9e102031f804de648e
Opcode Fuzzy Hash: 709c0bf18f45daac3b3a4b8c647639c489d7d51dfb28116bf7ccdcb11725583a
Instruction Fuzzy Hash: 9842F370709745DFD728CF24C894BAAB7E8BF86304F14895DF4A68B291D774E884DB82

Function 00912CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00912D07
RegisterClassExW.USER32(00000030), ref: 00912D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00912D42
InitCommonControlsEx.COMCTL32(?), ref: 00912D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00912D6F
LoadIconW.USER32(000000A9), ref: 00912D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00912D94

Strings

+, xrefs: 00912CF0
TaskbarCreated, xrefs: 00912D37
AutoIt v3 GUI, xrefs: 00912D23
0, xrefs: 00912CE9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1c1c546acabb9e6d4da779f7b17e74854a8fcff29bfc5e6c13ef8eb24935484b
Instruction ID: 87ba026ca74bef6207db06b0393bbc7c81b0ce647ce7db0e92293fbbf19d0476
Opcode Fuzzy Hash: 1c1c546acabb9e6d4da779f7b17e74854a8fcff29bfc5e6c13ef8eb24935484b
Instruction Fuzzy Hash: 8A21C4B5925358EFDB00DFA4EC89BDDBBB4FB09700F00811AF511AA2A0D7B54944EF91

Function 0095065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0095039A: CreateFileW.KERNELBASE(00000000,00000000,?,00950704,?,?,00000000,?,00950704,00000000,0000000C), ref: 009503B7

GetLastError.KERNEL32 ref: 0095076F
__dosmaperr.LIBCMT ref: 00950776
GetFileType.KERNELBASE(00000000), ref: 00950782
GetLastError.KERNEL32 ref: 0095078C
__dosmaperr.LIBCMT ref: 00950795
CloseHandle.KERNEL32(00000000), ref: 009507B5
CloseHandle.KERNEL32(?), ref: 009508FF
GetLastError.KERNEL32 ref: 00950931
__dosmaperr.LIBCMT ref: 00950938

Strings

H, xrefs: 009508BD

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 35fd16e257a949438aa6f9839b89d41b045be0d1d18effcf2951704591c86e3d
Instruction ID: 784d94e489dfca7fca0c81c34ccf53cfbff0a044bb375c9f37cfb70244903f0b
Opcode Fuzzy Hash: 35fd16e257a949438aa6f9839b89d41b045be0d1d18effcf2951704591c86e3d
Instruction Fuzzy Hash: 99A13432A141448FDF19EF68DC92BAE3BA4AB8A321F140159FC119F392DB319C16DB91

Function 0091344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00913A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009E1418,?,00912E7F,?,?,?,00000000), ref: 00913A78

Part of subcall function 00913357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00913379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0091356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0095318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009531CE
RegCloseKey.ADVAPI32(?), ref: 00953210
_wcslen.LIBCMT ref: 00953277
_wcslen.LIBCMT ref: 00953286

Strings

Include, xrefs: 00953184, 009531C5
\, xrefs: 0095328C
Software\AutoIt v3\AutoIt, xrefs: 00913560
\Include\, xrefs: 00913527

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: cab8504dbb63d0537cb1669fb52bef4c168ac7a6adaee0330c180bed27b66e8d
Instruction ID: 43e2d279d43f75d962390396e4265732f909c8cc3968e19b226854b0174b5998
Opcode Fuzzy Hash: cab8504dbb63d0537cb1669fb52bef4c168ac7a6adaee0330c180bed27b66e8d
Instruction Fuzzy Hash: 94719FB15183449EC314EF25DC82AABBBECFF85B40F40542EF5558B160EB749A88DFA1

Function 00912B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00912B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00912B9D
LoadIconW.USER32(00000063), ref: 00912BB3
LoadIconW.USER32(000000A4), ref: 00912BC5
LoadIconW.USER32(000000A2), ref: 00912BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00912BEF
RegisterClassExW.USER32(?), ref: 00912C40

Part of subcall function 00912CD4: GetSysColorBrush.USER32(0000000F), ref: 00912D07
Part of subcall function 00912CD4: RegisterClassExW.USER32(00000030), ref: 00912D31
Part of subcall function 00912CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00912D42
Part of subcall function 00912CD4: InitCommonControlsEx.COMCTL32(?), ref: 00912D5F
Part of subcall function 00912CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00912D6F
Part of subcall function 00912CD4: LoadIconW.USER32(000000A9), ref: 00912D85
Part of subcall function 00912CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00912D94

Strings

#, xrefs: 00912C16
0, xrefs: 00912C0F
AutoIt v3, xrefs: 00912C2F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 7642ad882d3a28affcc7655aea4d67ec3c1afb67fcda2bb3b72531919f54239a
Instruction ID: 5deb61bc791acafea1be80e090040baa1d257ec478e13b12651c49d75419da83
Opcode Fuzzy Hash: 7642ad882d3a28affcc7655aea4d67ec3c1afb67fcda2bb3b72531919f54239a
Instruction Fuzzy Hash: EB211AB4E28358AFDB109FA5EC95AAD7FB4FB48B50F00501AF500AA7A0D7B15940EF90

Function 00913170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0091316A,?,?), ref: 009131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0091316A,?,?), ref: 00913204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00913227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0091316A,?,?), ref: 00913232
CreatePopupMenu.USER32 ref: 00913246
PostQuitMessage.USER32(00000000), ref: 00913267

Strings

TaskbarCreated, xrefs: 0091322D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9ca57ca0cd8c6ec14d58958d4c1c4298ceb4960aee7ab8f4865542920f035d33
Instruction ID: 6b9dd23828c616c5a908191a7a965500029d2d6ebb1da9212f087be7bf697cfe
Opcode Fuzzy Hash: 9ca57ca0cd8c6ec14d58958d4c1c4298ceb4960aee7ab8f4865542920f035d33
Instruction Fuzzy Hash: 7241273135824CBBDF256B789D4DBFD367DEB46340F048525F9128A2A2CB758EC0A7A1

Function 00911410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00911459
CoUninitialize.COMBASE ref: 009114F8
UnregisterHotKey.USER32(?), ref: 009116DD
DestroyWindow.USER32(?), ref: 009524B9
FreeLibrary.KERNEL32(?), ref: 0095251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0095254B

Strings

close all, xrefs: 00911454

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f5427699a3abe8daa7c9d1416772caff973c7acb95220bdb7832b140c5441e76
Instruction ID: 26e78f35de3a6ba46b9e106c60fb92986886438b337132ca0144b0380013bdca
Opcode Fuzzy Hash: f5427699a3abe8daa7c9d1416772caff973c7acb95220bdb7832b140c5441e76
Instruction Fuzzy Hash: F4D1AC31702222DFCB29EF15C899B69F7A4BF46701F1441ADE94A6B261DB30EC56CF90

Function 00912C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00912C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00912CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00911CAD,?), ref: 00912CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00911CAD,?), ref: 00912CCF

Strings

edit, xrefs: 00912CAC
AutoIt v3, xrefs: 00912C89, 00912C8E, 00912C8F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f7e9c2baec7e5a501ae6cc969d546dd570eaa99979e420d6fe05a9d88534bfc6
Instruction ID: a834c12fb2b53082859d3668b39d24f1cee0e73306a11a16e413886f669970b5
Opcode Fuzzy Hash: f7e9c2baec7e5a501ae6cc969d546dd570eaa99979e420d6fe05a9d88534bfc6
Instruction Fuzzy Hash: 66F0DAB55682D07AEB311717AC88E772EBDD7C7F50B00105AF900AA5A0C6715C51EAB0

Function 00913B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00913B0F,SwapMouseButtons,00000004,?), ref: 00913B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00913B0F,SwapMouseButtons,00000004,?), ref: 00913B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00913B0F,SwapMouseButtons,00000004,?), ref: 00913B83

Strings

Control Panel\Mouse, xrefs: 00913B3E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 126cadd3ab1c0b049bae39bdaf1220d28a6604071df05e938914390004f22ed6
Instruction ID: 5150490f7ccea34305433cfee9a407e0c97b8527797c890154b7e8de6de22d1d
Opcode Fuzzy Hash: 126cadd3ab1c0b049bae39bdaf1220d28a6604071df05e938914390004f22ed6
Instruction Fuzzy Hash: E0112AB5664219FFDF208FA5DC44AFFB7BCEF05744B108959A805D7110E2319E80ABA0

Function 00913923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009533A2

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00913A04

Strings

Line: , xrefs: 009533EB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 6a1466b545aa29351991dd8425416867f0bb613018972a5b9f5dadda966c9866
Instruction ID: 16236a90b6192eb7ef9ff4af00e6726aee29ca1eaaf12fc0968042db422db002
Opcode Fuzzy Hash: 6a1466b545aa29351991dd8425416867f0bb613018972a5b9f5dadda966c9866
Instruction Fuzzy Hash: 9F31D671608348AAD325EB20DC45BEFB7ECAF84710F00891AF59993191DB749A89C7C2

Function 0092FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00930668

Part of subcall function 009332A4: RaiseException.KERNEL32(?,?,?,0093068A,?,009E1444,?,?,?,?,?,?,0093068A,00911129,009D8738,00911129), ref: 00933304

__CxxThrowException@8.LIBVCRUNTIME ref: 00930685

Strings

Unknown exception, xrefs: 00930692

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 918628464eeb129d06960273ef5a37a0137754bc5690f3ab292a713440aad1d6
Instruction ID: a5b34a201c9575550e43957c81cb53f29877ae5ae773fe494f236b037d5f4d6f
Opcode Fuzzy Hash: 918628464eeb129d06960273ef5a37a0137754bc5690f3ab292a713440aad1d6
Instruction Fuzzy Hash: B9F0C23490020D77CB00B6A5E866E9E777C9EC0314F608631B824D65DAEF71EA65CDC1

Function 009110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00911BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00911BF4
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00911BFC
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00911C07
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00911C12
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00911C1A
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00911C22

Part of subcall function 00911B4A: RegisterWindowMessageW.USER32(00000004,?,009112C4), ref: 00911BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0091136A
OleInitialize.OLE32 ref: 00911388
CloseHandle.KERNEL32(00000000,00000000), ref: 009524AB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 067fdb818b00b8f3f33af2fa3b0a0faaa81ffbadababe24d5a2093b1916468ed
Instruction ID: 955a8e267fc072f6c11e9c9dc4dc882b57bd5b536beea8176ab2637c0eade5a4
Opcode Fuzzy Hash: 067fdb818b00b8f3f33af2fa3b0a0faaa81ffbadababe24d5a2093b1916468ed
Instruction Fuzzy Hash: 357190B4A293849FC795DF7AA9856993AE0BBC9344354412AE11ACF371FB304C81EF45

Function 0097C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00913923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00913A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0097C259
KillTimer.USER32(?,00000001,?,?), ref: 0097C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0097C270

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 459f171b0915c7685d9fbcd1bcf0a15aebc6cf56d9a36f67b8bd86a209b57f70
Instruction ID: 1f83f5fb196500ff559740565f7c3f5b175c6701470682cd907b4b6ffacecb65
Opcode Fuzzy Hash: 459f171b0915c7685d9fbcd1bcf0a15aebc6cf56d9a36f67b8bd86a209b57f70
Instruction Fuzzy Hash: 2E3195B1904344AFEB22DF649895BE7BBEC9F06704F00449DD6EE97242C774AA84CB51

Function 009486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009485CC,?,009D8CC8,0000000C), ref: 00948704
GetLastError.KERNEL32(?,009485CC,?,009D8CC8,0000000C), ref: 0094870E
__dosmaperr.LIBCMT ref: 00948739

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: f447293ca66be7ca64035d909e805bbee24d6d89917663f46648de66fe7efbda
Instruction ID: 7ae6348c13907d8fbc94cb16a3413666e1c2d51d36dc9049462052b43c71e1b2
Opcode Fuzzy Hash: f447293ca66be7ca64035d909e805bbee24d6d89917663f46648de66fe7efbda
Instruction Fuzzy Hash: 52018933A0826067D6B56774A899F7F2B4D4BC2B78F3B0119F8188F1D3DEA1CC819290

Function 0091DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0091DB7B
DispatchMessageW.USER32(?), ref: 0091DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0091DB9F
Sleep.KERNELBASE(0000000A), ref: 0091DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00961CC9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 2acf028a949c0c201443bcc55e3f8127535aa889c7cd3b8eac7289eb97627ff4
Instruction ID: 557e74e82ea2420a3a7990d0745f29a1ad3068723737e4b9da5143f263f70dbd
Opcode Fuzzy Hash: 2acf028a949c0c201443bcc55e3f8127535aa889c7cd3b8eac7289eb97627ff4
Instruction Fuzzy Hash: E7F05E706593849BE730CB608C89FEA73ACEF85310F104919F64A870C0DB34A4889B65

Function 00921310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009217F6

Strings

CALL, xrefs: 009217C6

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 010eb9cbf6ea04fe8160ecc4cbf5edeb1e41454b45e5ac3ffca74886e3524439
Instruction ID: 6be09a67ff695448c14a6ef3a0ea65725506b1c45e79628f908a17766c37b72f
Opcode Fuzzy Hash: 010eb9cbf6ea04fe8160ecc4cbf5edeb1e41454b45e5ac3ffca74886e3524439
Instruction Fuzzy Hash: 8D22A8706082519FC714DF14E490B2ABBF5BFD9314F24896DF48A8B3A6D735E851CB82

Function 00912DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00952C8C

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

Part of subcall function 00912DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00912DC4

Strings

X, xrefs: 00952C5A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 777c2d94dcd5b81d5cbf7d4954017800eeeb180bc2f421525e776c422844f391
Instruction ID: 9c948462994429480e59af38958dfcca0658bbfb3a62886d33130562760f4657
Opcode Fuzzy Hash: 777c2d94dcd5b81d5cbf7d4954017800eeeb180bc2f421525e776c422844f391
Instruction Fuzzy Hash: EB21D570B1025C9FCF01EF94C845BEE7BFCAF89304F00805AE405AB241DBB85A898FA1

Function 00913837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00913908

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: bef9f1446f6e7c739e0dc188ae5cd297d8b05709e9165ad305255f9cd7f7b906
Instruction ID: 420ef60370bdda0d844394dc9b29dcc7a924d570c582ac632457a0f304f1fb8f
Opcode Fuzzy Hash: bef9f1446f6e7c739e0dc188ae5cd297d8b05709e9165ad305255f9cd7f7b906
Instruction Fuzzy Hash: 43318EB06183059FD721DF24D8847D7BBF8FB89708F00096EF99A97250E771AA84DB52

Function 0092F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0092F661

Part of subcall function 0091D730: GetInputState.USER32 ref: 0091D807

Sleep.KERNEL32(00000000), ref: 0096F2DE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 2ccb671f1165b118539ef261f5e9131a0c9d39ee95d6a659f0c28d05f3296e91
Instruction ID: 0ce140e059a54fd6c998e8b2fb80f5230eb1e522b6dbafbf469eef6885b74a8c
Opcode Fuzzy Hash: 2ccb671f1165b118539ef261f5e9131a0c9d39ee95d6a659f0c28d05f3296e91
Instruction Fuzzy Hash: FEF08C713442199FD310EF69E459BAAB7E9EF86761F000029F859CB2A0EB70A840CF90

Function 00914ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00914E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E9C
Part of subcall function 00914E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00914EAE
Part of subcall function 00914E90: FreeLibrary.KERNEL32(00000000,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914EFD

Part of subcall function 00914E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E62
Part of subcall function 00914E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00914E74
Part of subcall function 00914E59: FreeLibrary.KERNEL32(00000000,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E87

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 59f00213ca330a4baef8541dc9361904fe560e33ee2d12f09dc050ad9615bbdd
Instruction ID: 694eda9e6e24e4a4e94d6d267006702e5dab2758360437f8214571fdde984bd8
Opcode Fuzzy Hash: 59f00213ca330a4baef8541dc9361904fe560e33ee2d12f09dc050ad9615bbdd
Instruction Fuzzy Hash: 8B11C132710209AADF15EB60D802BED77A5AFC8711F108429F542AA3C1EE759A85DB90

Function 00948402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00948440

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ff3bf4939bf0142e565d0a995d6d5ee2b0eaf5bea6e9cf2760dff2dd3cc09b57
Instruction ID: 9a073da3e714f41afbacbe15a02a6351599e5819dd7eabb2550f0b22fe5cc9ce
Opcode Fuzzy Hash: ff3bf4939bf0142e565d0a995d6d5ee2b0eaf5bea6e9cf2760dff2dd3cc09b57
Instruction Fuzzy Hash: 1E11067590410AAFCB05DF58E941E9F7BF9EF48314F144059FC08AB312DA31DA118BA5

Function 00945000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00944C7D: RtlAllocateHeap.NTDLL(00000008,00911129,00000000,?,00942E29,00000001,00000364,?,?,?,0093F2DE,00943863,009E1444,?,0092FDF5,?), ref: 00944CBE

_free.LIBCMT ref: 0094506C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 26bceae615b22631250190a564bc6578e4a44a1c0996445d4b83e85567bc3918
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 4A0126762047056BE3218F659881E9AFBEDFB89370F66051DE18893281EA30A805C7B4

Function 0093E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 83e8672462126561863d05457dc915b11188b189ef48df00d4d9859ca958bd59
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 5AF0C832511A1497D7313A6A9C16F9B379C9FD2339F100B19F825971D2DB74E8018EA5

Function 00944C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00911129,00000000,?,00942E29,00000001,00000364,?,?,?,0093F2DE,00943863,009E1444,?,0092FDF5,?), ref: 00944CBE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a917787026b57eddf9ad3a99b98275df4274a636dee392695df5f0dd0a856b8b
Instruction ID: e969eb7fd218f62aff7349cb02059e939d45fb161d251f975a2f7b9c4406bf40
Opcode Fuzzy Hash: a917787026b57eddf9ad3a99b98275df4274a636dee392695df5f0dd0a856b8b
Instruction Fuzzy Hash: EFF0E931646224A7DB215F62AC85FDB378CBF817A3F1D8111BC95AA190CA30DC005AE0

Function 00943820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e02a0f7f8e3eb6efb65b0de938d0b17a21e8e9a39a01ca02dc75f8a627a30fe0
Instruction ID: f85951fc19a5697eda947f0e3e9bc27669b4e35e2f6d0fcdf307dd6c6e71b3c2
Opcode Fuzzy Hash: e02a0f7f8e3eb6efb65b0de938d0b17a21e8e9a39a01ca02dc75f8a627a30fe0
Instruction Fuzzy Hash: D6E02231204224A6E7312AB79C00F9BB75DAF827B0F0A8020BC1596B90DB21EE018AE1

Function 00914F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914F6D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bb65ef64013742783e62e1ebed553ebe186f03a6281aa93eaf505317638cd935
Instruction ID: 82c276b9d5f5284002927f27788436e9b6cfd1c5005330300c311b58f81b69af
Opcode Fuzzy Hash: bb65ef64013742783e62e1ebed553ebe186f03a6281aa93eaf505317638cd935
Instruction Fuzzy Hash: 99F0A070205305CFCB348F20D490892B7E4EF083193108D7EE1DA86710C7319885DF40

Function 009A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009A2A66

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1666a866bc192f1628bd2a4b2b260491c2f4ffb1c05b33cbabfafe70ca58be82
Instruction ID: 3852b4019435fd67638a67cdb9bff50825672c46685d71b5718fcff5661742ed
Opcode Fuzzy Hash: 1666a866bc192f1628bd2a4b2b260491c2f4ffb1c05b33cbabfafe70ca58be82
Instruction Fuzzy Hash: 36E02632354216AEC710FB34DC80AFE734CEF91390B008836FC2AC2140DF34999192E0

Function 009130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0091314E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1be9694f6a046f3061989b2a14c0ce83460754077487e762c423d1390ae60760
Instruction ID: 582d25140d1b610034de0415627d82309eacd3cf6d0ec40f00f12976c2dc49a2
Opcode Fuzzy Hash: 1be9694f6a046f3061989b2a14c0ce83460754077487e762c423d1390ae60760
Instruction Fuzzy Hash: A0F03770A183589FEB52DB24DC857D67BFCAB05708F0000E5A5489A591D7745BC8CF51

Function 00912DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00912DC4

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 14c9509782f6ec60cb7cd048bc80b776d0b3dce13e1c73cc4d2044be265527b3
Instruction ID: 4a27a9832b70684ba39664f2bdf2a6a96e5848bfc98ad2aa7c4d08bc7493956b
Opcode Fuzzy Hash: 14c9509782f6ec60cb7cd048bc80b776d0b3dce13e1c73cc4d2044be265527b3
Instruction Fuzzy Hash: 45E0CD72A041245BC710D2589C05FEA77DDDFC8790F050071FD09D7248DA60ED848690

Function 00912B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00913837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00913908

Part of subcall function 0091D730: GetInputState.USER32 ref: 0091D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00912B6B

Part of subcall function 009130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0091314E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: cf90cf90d481773cf2380eddc4822736142564b91eb03cdc53e3634d0fc2fb10
Instruction ID: 67313eb72b3bf011a4cf2115519f2ab7265350e8d41f185e1c68505522d488b5
Opcode Fuzzy Hash: cf90cf90d481773cf2380eddc4822736142564b91eb03cdc53e3634d0fc2fb10
Instruction Fuzzy Hash: C5E0263130824C03CA04BB30A8526FDA3A98BD2311F40443EF142872F3DE2089C54352

Function 0095039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00950704,?,?,00000000,?,00950704,00000000,0000000C), ref: 009503B7

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8af11b18e6c283d789909ef24ba41ad523c0ddf5aa3929e37cae61bdb888381e
Instruction ID: fbe23f113d5872e3cdf7cb2cca29234dceeac0c7642575f604ccbc78db7c231f
Opcode Fuzzy Hash: 8af11b18e6c283d789909ef24ba41ad523c0ddf5aa3929e37cae61bdb888381e
Instruction Fuzzy Hash: 3FD06C3215410DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Function 00911CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00911CBC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 49423b7821e7ba93924ada2378272e931ac04500ffe1a7bb48f2a98140465300
Instruction ID: bb592531dc52478c63d21f13ca2f5014715ac7af9cb0b92499cccaabb05c9967
Opcode Fuzzy Hash: 49423b7821e7ba93924ada2378272e931ac04500ffe1a7bb48f2a98140465300
Instruction Fuzzy Hash: BAC09B3529C3449FF3144780BD8AF107754A748B00F445001F6095D5E3C7B15C10F690

Non-executed Functions

Function 009A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009A96C9
SendMessageW.USER32 ref: 009A96F2
GetKeyState.USER32(00000011), ref: 009A978B
GetKeyState.USER32(00000009), ref: 009A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009A97AE
GetKeyState.USER32(00000010), ref: 009A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009A97E9
SendMessageW.USER32 ref: 009A9810
SendMessageW.USER32(?,00001030,?,009A7E95), ref: 009A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009A9941
SetCapture.USER32(?), ref: 009A994A
ClientToScreen.USER32(?,?), ref: 009A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009A99D6
ReleaseCapture.USER32 ref: 009A99E1
GetCursorPos.USER32(?), ref: 009A9A19
ScreenToClient.USER32(?,?), ref: 009A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009A9A80
SendMessageW.USER32 ref: 009A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009A9AEB
SendMessageW.USER32 ref: 009A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009A9B4A
GetCursorPos.USER32(?), ref: 009A9B68
ScreenToClient.USER32(?,?), ref: 009A9B75
GetParent.USER32(?), ref: 009A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009A9BFA
SendMessageW.USER32 ref: 009A9C2B
ClientToScreen.USER32(?,?), ref: 009A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009A9CDE
SendMessageW.USER32 ref: 009A9D01
ClientToScreen.USER32(?,?), ref: 009A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009A9D82

Part of subcall function 00929944: GetWindowLongW.USER32(?,000000EB), ref: 00929952

GetWindowLongW.USER32(?,000000F0), ref: 009A9E05

Strings

F, xrefs: 009A9D07
@GUI_DRAGID, xrefs: 009A997D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 16ba4ff0441f3b8e007a4aafbba39c00278c05645728edb651376d583c22cd49
Instruction ID: 330c54c9492a26a13476239d16835b4b6b06c48c94d5197d8308cab4c5c49241
Opcode Fuzzy Hash: 16ba4ff0441f3b8e007a4aafbba39c00278c05645728edb651376d583c22cd49
Instruction Fuzzy Hash: 1D427F74608241AFD725CF24CC84BAABBE9FF8A314F144619F6998B2A1D731EC50DF91

Function 009A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009A4A7E
IsMenu.USER32(?), ref: 009A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009A4B20
GetWindowLongW.USER32(?,000000F0), ref: 009A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009A4C82
wsprintfW.USER32 ref: 009A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009A4D5A

Strings

%d/%02d/%02d, xrefs: 009A4CA8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 41b1347d64c15ad788af38bb8ac7149dc09983e6d3549bcc490ebc8de40b7dc5
Instruction ID: 67b593611462b5653242f08078831618a514a091ffa8c5202226686bc1293349
Opcode Fuzzy Hash: 41b1347d64c15ad788af38bb8ac7149dc09983e6d3549bcc490ebc8de40b7dc5
Instruction Fuzzy Hash: 1C12E271600255AFEB258F28DC49FAE7BF8EF86710F104529F516EB2E1DBB49940CB90

Function 0092F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0092F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0096F474
IsIconic.USER32(00000000), ref: 0096F47D
ShowWindow.USER32(00000000,00000009), ref: 0096F48A
SetForegroundWindow.USER32(00000000), ref: 0096F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0096F4AA
GetCurrentThreadId.KERNEL32 ref: 0096F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0096F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0096F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0096F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0096F4DE
SetForegroundWindow.USER32(00000000), ref: 0096F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F4F6
keybd_event.USER32(00000012,00000000), ref: 0096F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F50B
keybd_event.USER32(00000012,00000000), ref: 0096F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F519
keybd_event.USER32(00000012,00000000), ref: 0096F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F528
keybd_event.USER32(00000012,00000000), ref: 0096F52D
SetForegroundWindow.USER32(00000000), ref: 0096F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0096F557

Strings

Shell_TrayWnd, xrefs: 0096F46F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1afa3e4514dfff70f53f87933ad57a4af02f8dff5271323096e051820a178d9f
Instruction ID: 669d56e53366ad6b076a6a95815da525c28efdb50de93faabada8c81416e0a8f
Opcode Fuzzy Hash: 1afa3e4514dfff70f53f87933ad57a4af02f8dff5271323096e051820a178d9f
Instruction Fuzzy Hash: 863132B1A54218BFEB216BB55C4AFBF7E6CEF45B50F100465FA01EA1D1CAB15D00BAA0

Function 00971201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0097170D
Part of subcall function 009716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0097173A
Part of subcall function 009716C3: GetLastError.KERNEL32 ref: 0097174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00971286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009712A8
CloseHandle.KERNEL32(?), ref: 009712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009712D1
GetProcessWindowStation.USER32 ref: 009712EA
SetProcessWindowStation.USER32(00000000), ref: 009712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00971310

Part of subcall function 009710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009711FC), ref: 009710D4
Part of subcall function 009710BF: CloseHandle.KERNEL32(?,?,009711FC), ref: 009710E9

Strings

, xrefs: 0097125A
default, xrefs: 0097130B
winsta0, xrefs: 009712CC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 47430b3470adccb0c2e68a43a0b57cc7a0663dcd5ee76eb2483c9aff7d628569
Instruction ID: 7c77cdc56e9c7ad69e0fa346bcda07d2ee24c96a827bedc29b0b04d17f642f8b
Opcode Fuzzy Hash: 47430b3470adccb0c2e68a43a0b57cc7a0663dcd5ee76eb2483c9aff7d628569
Instruction Fuzzy Hash: 1281ADB2900209AFDF219FA8DC49FEE7BBDEF45704F148129F918E62A0D7308944DB64

Function 00970B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00971114
Part of subcall function 009710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971120
Part of subcall function 009710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 0097112F
Part of subcall function 009710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971136
Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0097114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00970BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00970C00
GetLengthSid.ADVAPI32(?), ref: 00970C17
GetAce.ADVAPI32(?,00000000,?), ref: 00970C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00970C6D
GetLengthSid.ADVAPI32(?), ref: 00970C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00970C8C
HeapAlloc.KERNEL32(00000000), ref: 00970C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00970CB4
CopySid.ADVAPI32(00000000), ref: 00970CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00970CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00970D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00970D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970D45
HeapFree.KERNEL32(00000000), ref: 00970D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970D55
HeapFree.KERNEL32(00000000), ref: 00970D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970D65
HeapFree.KERNEL32(00000000), ref: 00970D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00970D78
HeapFree.KERNEL32(00000000), ref: 00970D7F

Part of subcall function 00971193: GetProcessHeap.KERNEL32(00000008,00970BB1,?,00000000,?,00970BB1,?), ref: 009711A1
Part of subcall function 00971193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00970BB1,?), ref: 009711A8
Part of subcall function 00971193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00970BB1,?), ref: 009711B7

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9c40b4a1197fa13e71dd023a204cc880ae9d9d6d61e96aa363dd1773bacbca12
Instruction ID: fb2db6000c31e59f406029a6605bb284478772e6881e357e8c2e63dc1e352351
Opcode Fuzzy Hash: 9c40b4a1197fa13e71dd023a204cc880ae9d9d6d61e96aa363dd1773bacbca12
Instruction Fuzzy Hash: B4715CB2A0431AEBDF10DFA4DC45BAEBBBCBF45300F048515E919AB291D771A905CBA0

Function 0098EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009ACC08), ref: 0098EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0098EB37
GetClipboardData.USER32(0000000D), ref: 0098EB43
CloseClipboard.USER32 ref: 0098EB4F
GlobalLock.KERNEL32(00000000), ref: 0098EB87
CloseClipboard.USER32 ref: 0098EB91
GlobalUnlock.KERNEL32(00000000), ref: 0098EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0098EBC9
GetClipboardData.USER32(00000001), ref: 0098EBD1
GlobalLock.KERNEL32(00000000), ref: 0098EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0098EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0098EC38
GetClipboardData.USER32(0000000F), ref: 0098EC44
GlobalLock.KERNEL32(00000000), ref: 0098EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0098EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0098EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0098ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0098ECF3
CountClipboardFormats.USER32 ref: 0098ED14
CloseClipboard.USER32 ref: 0098ED59

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 26c3d6d2205e544ece4bc14c617f9fc88eb114ee65e190846edb91cbf292f01a
Instruction ID: 36d7a9abeca1aa40d4da6bee1c04f2a1693f3fd01c3859356c580e4c56112e02
Opcode Fuzzy Hash: 26c3d6d2205e544ece4bc14c617f9fc88eb114ee65e190846edb91cbf292f01a
Instruction Fuzzy Hash: 1761DF742082069FD300EF24C8A4F6AB7E8EF85714F14455DF8569B3A2DB31DD49DBA2

Function 0098698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009869BE
FindClose.KERNEL32(00000000), ref: 00986A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00986A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00986A75

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00986AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00986ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00986B32
%4d, xrefs: 00986BB1
%03d, xrefs: 00986DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00986B6A
%02d, xrefs: 00986C00, 00986C0A, 00986C5A, 00986CAA, 00986CFA, 00986D4A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 7cf6b44cf5fd5d19514ac61f50a670a9314a2b0ed2712c81d6111ff92f3a1520
Instruction ID: 3193dd75dfec70cd02873d7ad2897f0b782c64b19cbb178360bf81c8b0ac6f22
Opcode Fuzzy Hash: 7cf6b44cf5fd5d19514ac61f50a670a9314a2b0ed2712c81d6111ff92f3a1520
Instruction Fuzzy Hash: 4FD151B1508304AEC714EBA4D991EABB7ECAFC8704F44491DF589C7291EB74DA44CB62

Function 00989642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00989663
GetFileAttributesW.KERNEL32(?), ref: 009896A1
SetFileAttributesW.KERNEL32(?,?), ref: 009896BB
FindNextFileW.KERNEL32(00000000,?), ref: 009896D3
FindClose.KERNEL32(00000000), ref: 009896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0098974A
SetCurrentDirectoryW.KERNEL32(009D6B7C), ref: 00989768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00989772
FindClose.KERNEL32(00000000), ref: 0098977F
FindClose.KERNEL32(00000000), ref: 0098978F

Strings

*.*, xrefs: 009896F5

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b92b008d2cbc81bf673e618070a32f7fba3aa0aa26b82b6d448fb1ab24a4c9b3
Instruction ID: 73eb14d3bfbe46630e244246522c1e4d56a5b11182efad3dbe957a0f2ff77fff
Opcode Fuzzy Hash: b92b008d2cbc81bf673e618070a32f7fba3aa0aa26b82b6d448fb1ab24a4c9b3
Instruction Fuzzy Hash: 1331E2725442197EDF10EFB4DC08AEE77ACAF8A320F184156F815E62A0EB34DE408F94

Function 0098979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00989819
FindClose.KERNEL32(00000000), ref: 00989824
FindFirstFileW.KERNEL32(*.*,?), ref: 00989840
SetCurrentDirectoryW.KERNEL32(?), ref: 00989890
SetCurrentDirectoryW.KERNEL32(009D6B7C), ref: 009898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009898B8
FindClose.KERNEL32(00000000), ref: 009898C5
FindClose.KERNEL32(00000000), ref: 009898D5

Part of subcall function 0097DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0097DB00

Strings

*.*, xrefs: 0098983B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 03386f16e8f34c5696df3df54b80639cea69c28657fe42569331988c3a52043e
Instruction ID: 42fbc3b38db4697121beb6fcec8c342b640a22c696da8133c054b04f7aab5444
Opcode Fuzzy Hash: 03386f16e8f34c5696df3df54b80639cea69c28657fe42569331988c3a52043e
Instruction Fuzzy Hash: AA31B47154461A7EDF10FFB4DC48AEE77AC9F4A324F188156E854A6290DB34DE44CF60

Function 0099BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0099C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099C9F1
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA68
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0099BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0099BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0099C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0099C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0099C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0099C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0099C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0099C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0099C382
RegCloseKey.ADVAPI32(00000000), ref: 0099C38F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d44324458c80c78b1625806285d3a3fb6126ee348db080eded5fe954475cc232
Instruction ID: e237e50ad795557f4e978d457f696f57d9f3f81c7fa907ecdae45a7c0402074f
Opcode Fuzzy Hash: d44324458c80c78b1625806285d3a3fb6126ee348db080eded5fe954475cc232
Instruction Fuzzy Hash: 00023FB16042009FDB14DF28C895E2ABBE9EF89314F18C49DF84ADB2A2D731ED45CB51

Function 00988195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00988257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00988267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00988273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00988310
SetCurrentDirectoryW.KERNEL32(?), ref: 00988324
SetCurrentDirectoryW.KERNEL32(?), ref: 00988356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0098838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00988395

Strings

*.*, xrefs: 0098839B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9d16e1cf42eaa9e9eece00790c4d69d91e010522ca670e4d9c508f2700c7a00e
Instruction ID: 08c729553e5bf537c642a148cbc167ecd825c898ef971cf0fe8d0a2987cedf95
Opcode Fuzzy Hash: 9d16e1cf42eaa9e9eece00790c4d69d91e010522ca670e4d9c508f2700c7a00e
Instruction Fuzzy Hash: A2616FB25083059FCB10EF54C844A9FB3E9FF89310F44891EF99997251DB35E945CBA2

Function 0097D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

Part of subcall function 0097E199: GetFileAttributesW.KERNEL32(?,0097CF95), ref: 0097E19A

FindFirstFileW.KERNEL32(?,?), ref: 0097D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0097D1DD
MoveFileW.KERNEL32(?,?), ref: 0097D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0097D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0097D237

Part of subcall function 0097D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0097D21C,?,?), ref: 0097D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0097D253
FindClose.KERNEL32(00000000), ref: 0097D264

Strings

\*.*, xrefs: 0097D0CD, 0097D0D6, 0097D0EB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6f12c724814339d3963797b00d337dbe32dd5ea7ae1df79b73521c693274ae18
Instruction ID: 5ef3979ff0776729816885990bf48c6017db33ca61ad935921d228e15c944ede
Opcode Fuzzy Hash: 6f12c724814339d3963797b00d337dbe32dd5ea7ae1df79b73521c693274ae18
Instruction Fuzzy Hash: 0A619372D0610D9FCF05EBE0C952AEDB779AF95300F6480A5E41677192EB30AF4ADB60

Function 0098ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0098ED91
EmptyClipboard.USER32 ref: 0098ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0098EDAC
CloseClipboard.USER32 ref: 0098EEA3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1d910a9ad5f476c9f4152526e035619cbf826da3b2eb47e46d4498d658107789
Instruction ID: 3bd2d7f608f2c9999f0d56fe9c13990e2b7da2eff6bf0b0b049bfe6d3b1e4d5d
Opcode Fuzzy Hash: 1d910a9ad5f476c9f4152526e035619cbf826da3b2eb47e46d4498d658107789
Instruction Fuzzy Hash: CA418B75208612AFE320EF15D898F59BBE5EF45318F148099E4268F7A2C735EC42CBD0

Function 0097E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0097170D
Part of subcall function 009716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0097173A
Part of subcall function 009716C3: GetLastError.KERNEL32 ref: 0097174A

ExitWindowsEx.USER32(?,00000000), ref: 0097E932

Strings

@, xrefs: 0097E925
, xrefs: 0097E920
SeShutdownPrivilege, xrefs: 0097E902
, xrefs: 0097E95C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 87c968c9a7dcbe6d6dfb710024d52b320ab13792c286a93a87d24b876d9fd3fc
Instruction ID: 60400658480e2ca0c64bd375560a055b8a0dd425fc4e46334820cd26d6b9d175
Opcode Fuzzy Hash: 87c968c9a7dcbe6d6dfb710024d52b320ab13792c286a93a87d24b876d9fd3fc
Instruction Fuzzy Hash: A4014973620210EFEB6426B89C8AFBF725C9B08780F14C862FE0BF21D1D6A45C4082D0

Function 00991204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00991276
WSAGetLastError.WSOCK32 ref: 00991283
bind.WSOCK32(00000000,?,00000010), ref: 009912BA
WSAGetLastError.WSOCK32 ref: 009912C5
closesocket.WSOCK32(00000000), ref: 009912F4
listen.WSOCK32(00000000,00000005), ref: 00991303
WSAGetLastError.WSOCK32 ref: 0099130D
closesocket.WSOCK32(00000000), ref: 0099133C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f5e581c360e40ff42729ef0cfe2e8a449d6e698f4d8392bf588f4b8de1a433c1
Instruction ID: b8790813016d647e76277f6a6bec7aa8dd9acf81efff12e6bce704fe0467e2f9
Opcode Fuzzy Hash: f5e581c360e40ff42729ef0cfe2e8a449d6e698f4d8392bf588f4b8de1a433c1
Instruction Fuzzy Hash: A24184716001019FDB10EF68C485B69BBE6BF86318F188198E8669F3D2C775ED81CBE1

Function 0094B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0094B9D4
_free.LIBCMT ref: 0094B9F8
_free.LIBCMT ref: 0094BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009B3700), ref: 0094BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,009E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0094BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,009E1270,000000FF,?,0000003F,00000000,?), ref: 0094BC36
_free.LIBCMT ref: 0094BD4B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 3a0439a2c179a2b5fac1cff54fe8b6136cf676eb27c33bb2d414d1ef5bb76033
Instruction ID: e3e3653459b1c88f7557c2e7399325048ae572f82c5c034fa7e40649e295140b
Opcode Fuzzy Hash: 3a0439a2c179a2b5fac1cff54fe8b6136cf676eb27c33bb2d414d1ef5bb76033
Instruction Fuzzy Hash: 88C10271A04245ABDB249F69CC91FAEBBFCEF81350F14419AE590DB291EB30DE418B90

Function 0097D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

Part of subcall function 0097E199: GetFileAttributesW.KERNEL32(?,0097CF95), ref: 0097E19A

FindFirstFileW.KERNEL32(?,?), ref: 0097D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0097D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0097D481
FindClose.KERNEL32(00000000), ref: 0097D498
FindClose.KERNEL32(00000000), ref: 0097D4A1

Strings

\*.*, xrefs: 0097D3F2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 318c630de86595b029dc7e8308e5c45e573f49858fd02855ba9d1af355549cdf
Instruction ID: 394a49e03df803da04c593ed26a78c94d70ac89bdc82cb6dcfff545150270f36
Opcode Fuzzy Hash: 318c630de86595b029dc7e8308e5c45e573f49858fd02855ba9d1af355549cdf
Instruction Fuzzy Hash: B031617211D3459FC200EF64C8959EF77B8AED1314F44891DF4E5521A1EB20EA49D7A2

Function 0094E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0094E645

Strings

1#SNAN, xrefs: 0094F844
1#INF, xrefs: 0094F852
1#QNAN, xrefs: 0094F84B
1#IND, xrefs: 0094F83D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e23765ab326ed365bbeaf47c797887785b6dcc06240a26be2b27a036b22ed76f
Instruction ID: a62b622d6f9ad312c9b434990cd7c637442be05f05379a809f8e401303eee8a2
Opcode Fuzzy Hash: e23765ab326ed365bbeaf47c797887785b6dcc06240a26be2b27a036b22ed76f
Instruction Fuzzy Hash: 28C22A71E086298FDB25CF289D50BEAB7B9FB84305F1545EAD44DE7240E778AE818F40

Function 0098648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009864DC
CoInitialize.OLE32(00000000), ref: 00986639
CoCreateInstance.OLE32(009AFCF8,00000000,00000001,009AFB68,?), ref: 00986650
CoUninitialize.OLE32 ref: 009868D4

Strings

.lnk, xrefs: 009864BA, 00986524, 009865E0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 411540ae183e0450c683be307bb4d839b9423b7ead69f34cd211e38341dd42cd
Instruction ID: 1ada7d92534b678e867950243ac56127e493bbd1a4ed66cb312305e4b7e939b3
Opcode Fuzzy Hash: 411540ae183e0450c683be307bb4d839b9423b7ead69f34cd211e38341dd42cd
Instruction Fuzzy Hash: D9D13A716083059FC314EF24C891AABB7E9FFD9704F00496DF5958B291EB70E945CBA2

Function 009922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009922E8

Part of subcall function 0098E4EC: GetWindowRect.USER32(?,?), ref: 0098E504

GetDesktopWindow.USER32 ref: 00992312
GetWindowRect.USER32(00000000), ref: 00992319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00992355
GetCursorPos.USER32(?), ref: 00992381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009923DF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c5753afc12711974b6cd0782cebe6a13e2cae29a03ebb599d51a0200db7681f1
Instruction ID: dc8cde15fe5bb5c9121bdcea5672ba6cb8b465f8851081b5abaf440763da258e
Opcode Fuzzy Hash: c5753afc12711974b6cd0782cebe6a13e2cae29a03ebb599d51a0200db7681f1
Instruction Fuzzy Hash: 5F31B072509315AFDB20DF58C84AB5BB7ADFF89714F000919F9899B191DB34E908CBD2

Function 00989B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00989B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00989C8B

Part of subcall function 00983874: GetInputState.USER32 ref: 009838CB
Part of subcall function 00983874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00983966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00989BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00989C75

Strings

*.*, xrefs: 00989B5D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: bd2e89f00c093658ade8f4a7ed39636a3d7dce429404f01d361fb3265024b0a6
Instruction ID: 06507a45aca6b79cde2a436429116a7a1350f19d90d7e2c02c2a16f25547c00c
Opcode Fuzzy Hash: bd2e89f00c093658ade8f4a7ed39636a3d7dce429404f01d361fb3265024b0a6
Instruction Fuzzy Hash: CD41827190420AAFCF15EFA4C845BFE7BB8EF45310F144056E859A7291EB319E84CFA0

Function 0092997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00929A4E
GetSysColor.USER32(0000000F), ref: 00929B23
SetBkColor.GDI32(?,00000000), ref: 00929B36

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: de194e2df2ce545315bb83d743decf2031f122e6e507b9b96503f1b187ed4a36
Instruction ID: 96fe475b33dcb5ab2bb59aa31871ade45a00489b12e0a47a0b9d8f61670f233f
Opcode Fuzzy Hash: de194e2df2ce545315bb83d743decf2031f122e6e507b9b96503f1b187ed4a36
Instruction Fuzzy Hash: DEA15D7021C664BEE728AA7CEC98F7F769DEF83344F140509F402DA599CA299D41D2B2

Function 00991806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0099304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0099307A
Part of subcall function 0099304E: _wcslen.LIBCMT ref: 0099309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0099185D
WSAGetLastError.WSOCK32 ref: 00991884
bind.WSOCK32(00000000,?,00000010), ref: 009918DB
WSAGetLastError.WSOCK32 ref: 009918E6
closesocket.WSOCK32(00000000), ref: 00991915

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4d8dcf6a435a75d294c0e6239dd54fb8c59fdb2085e30fe603edbcbf5655f07d
Instruction ID: 79c522eff640a84412240cf141dd85677c2cf67c72d89ff2760d0b1420f28fcd
Opcode Fuzzy Hash: 4d8dcf6a435a75d294c0e6239dd54fb8c59fdb2085e30fe603edbcbf5655f07d
Instruction Fuzzy Hash: F351C471B002109FDB10AF28D886F6A77E5AF85718F048458F9169F3D3D775AD818BE1

Function 009A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009A1CC0
IsWindowEnabled.USER32 ref: 009A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009A1CDB
IsIconic.USER32 ref: 009A1CE9
IsZoomed.USER32 ref: 009A1CF7

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fe01098acf074c792c95ce8cf767c8ec22f74348fb3fe8977460c6bf6fbb7d47
Instruction ID: 46cfbd5fc3e64d28aa02a14864c9633c722910d704131b7ddc931cb0847f689c
Opcode Fuzzy Hash: fe01098acf074c792c95ce8cf767c8ec22f74348fb3fe8977460c6bf6fbb7d47
Instruction Fuzzy Hash: 1A2195717446115FD7208F2AC844B6A7BE9EF97325F198059E886CB391C771EC42CBD4

Function 00918060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009183E8
VUUU, xrefs: 0091843C
ERCP, xrefs: 0091813C
VUUU, xrefs: 009183FA
VUUU, xrefs: 00955DF0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: f4bdb134b4cf6153ad2e35a63d0606f700cbf4d7b9fd252c371c034942e5890f
Instruction ID: 2bce67ab91f2f37fea4f0b6cd80a40af24b8d84ee961956897f061f02a531db6
Opcode Fuzzy Hash: f4bdb134b4cf6153ad2e35a63d0606f700cbf4d7b9fd252c371c034942e5890f
Instruction Fuzzy Hash: 72A2AB70A0061ACBDF24CF59C8907EEB7B6BB54311F2485AAEC15A7281EB349DC5DF90

Function 0097AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0097AAAC
SetKeyboardState.USER32(00000080), ref: 0097AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0097AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0097AB88

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fb76c9e53b2e3783427595a4b92d33c8f4d38915cf64292d7f1f93db962b8ad7
Instruction ID: 84b02bb88c46f9ec1908414ad0a4ff65885079593321e33d7b553617fcf969be
Opcode Fuzzy Hash: fb76c9e53b2e3783427595a4b92d33c8f4d38915cf64292d7f1f93db962b8ad7
Instruction Fuzzy Hash: 6B312872A40208AEFF35CA64CC05BFE7BAAEFD5310F04C21AF189561D0D3788981D7A6

Function 0098CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0098CE89
GetLastError.KERNEL32(?,00000000), ref: 0098CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0098CEFE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 3b5c8c48841ad75eafe8814079d8d9fa7a1b3816b82ea922450b2e2a96814569
Instruction ID: f62be249ea67b0e0b929f279e56a8f11d8a195f4639a9b2244ef8867a44bee52
Opcode Fuzzy Hash: 3b5c8c48841ad75eafe8814079d8d9fa7a1b3816b82ea922450b2e2a96814569
Instruction Fuzzy Hash: 8F2190B15043059BEB30EF65D948BA677FCEF40354F10441EE646D2252EB74ED049BA4

Function 00978298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009782AA

Strings

|, xrefs: 009782DA
(, xrefs: 009782F0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 11ca7eee6fbd3f7d55a499df2a2793381e66d865595eb084b688b78fdb38ec1e
Instruction ID: 25937714f18ac1ba2dc91ac005410ba5b7efb0d7de218837923aa5f78ffa0385
Opcode Fuzzy Hash: 11ca7eee6fbd3f7d55a499df2a2793381e66d865595eb084b688b78fdb38ec1e
Instruction Fuzzy Hash: BB323575A007059FCB28CF59C085AAAB7F0FF48710B15C56EE4AADB7A1EB70E941CB40

Function 00985C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00985CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00985D17
FindClose.KERNEL32(?), ref: 00985D5F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1d17b887bc6edcf010dee97ad4a6f6e19b93b060870e48eb6d6f734cf48a33b0
Instruction ID: 767ec13cf310864ba91e6ca786a288334e1761358bc51266594f013426f5b50d
Opcode Fuzzy Hash: 1d17b887bc6edcf010dee97ad4a6f6e19b93b060870e48eb6d6f734cf48a33b0
Instruction Fuzzy Hash: 2651AC746046019FC714DF28C494E96B7E8FF49324F15855EE9AA8B3A2CB30ED49CF91

Function 00942622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0094271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00942724
UnhandledExceptionFilter.KERNEL32(?), ref: 00942731

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 77a21a04d8b05aa8589539fe98ef25660954051f9c49578ba414b6befe6c93af
Instruction ID: b4d648c25d7dd9a96a7924b9cf16fb1823f27e8f057259a62ec57c274083f4b6
Opcode Fuzzy Hash: 77a21a04d8b05aa8589539fe98ef25660954051f9c49578ba414b6befe6c93af
Instruction Fuzzy Hash: C331B47491121C9BCB21DF64DD89BDDBBB8BF48710F5041EAE81CA6261E7709F818F45

Function 009851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00985238
SetErrorMode.KERNEL32(00000000), ref: 009852A1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 888a052dddf2faab27b02d5ba07b88d81f5ff318eca83fd95c2920839aec9007
Instruction ID: 5274827976f12ccdd242ad86db9fa8d285182f923e468f19b82553b0c34c1967
Opcode Fuzzy Hash: 888a052dddf2faab27b02d5ba07b88d81f5ff318eca83fd95c2920839aec9007
Instruction Fuzzy Hash: C4314C75A14518DFDB00EF54D884FADBBB4FF49314F058099E805AB362DB31E85ACB90

Function 009716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0092FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00930668
Part of subcall function 0092FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00930685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0097170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0097173A
GetLastError.KERNEL32 ref: 0097174A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: bcb9209abc95d686df21af636c8a1bdd1d72b125e30907c3b8c9e265472321fc
Instruction ID: b4512fb6d188c4d75a99392cfb5b45f4e178d19f2a7ecd8d5b46e6f31cff17b6
Opcode Fuzzy Hash: bcb9209abc95d686df21af636c8a1bdd1d72b125e30907c3b8c9e265472321fc
Instruction Fuzzy Hash: D011CEB2514305AFD718AF58EC86E6ABBBDEF44714B20C52EE05A57281EB70BC418A60

Function 0097D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0097D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0097D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0097D650

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7ea3d2597e870543be40e1b354af526a7732e2c21ed29765907bddacd862b609
Instruction ID: 97dac8731ebb49402f0c64c39d2c1ebacb55377c981963ee26219b981e32eb97
Opcode Fuzzy Hash: 7ea3d2597e870543be40e1b354af526a7732e2c21ed29765907bddacd862b609
Instruction Fuzzy Hash: 3C113CB6E05228BBDB108F959C45FAFBBBCEB45B50F108115F918E7290D6704A059BA1

Function 00971663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0097168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009716A1
FreeSid.ADVAPI32(?), ref: 009716B1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4d58a81db85e5951c72d03565d45680e4f9ded8cd35bcca23a505377235efad1
Instruction ID: f1889885fb7691ebf5183a7f51b8f7fff4c0332fb1613a8fad4cfc069703e953
Opcode Fuzzy Hash: 4d58a81db85e5951c72d03565d45680e4f9ded8cd35bcca23a505377235efad1
Instruction Fuzzy Hash: 9FF0F4B195030DFBDF00DFE49C89AAEBBBCEF08604F508565E501E6181E774AA449A90

Function 0094C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0094C36C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 535ad301eac9c92b8b992657d30b92fb2472acb0011b8c2c73756525dd687c6c
Instruction ID: 31dab9e33476dc00a162b14aa094d29303ccdbb4224f12ac794f48a0d456549e
Opcode Fuzzy Hash: 535ad301eac9c92b8b992657d30b92fb2472acb0011b8c2c73756525dd687c6c
Instruction Fuzzy Hash: C94147B2901219AFCB209FB9CC88EBB77BCEB84314F104269F915D7180F6709D80CB50

Function 0096D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0096D28C

Strings

X64, xrefs: 0096D2A8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5e710c8d6dd8a2e90cd1b5807beaac3747a0930dd68eda2c1c3e7aa43c1ef2a1
Instruction ID: 250deca1b3cf1ce4b6501df71f8a24874a3d093d60ace30b3c3ad026dc790704
Opcode Fuzzy Hash: 5e710c8d6dd8a2e90cd1b5807beaac3747a0930dd68eda2c1c3e7aa43c1ef2a1
Instruction Fuzzy Hash: 1DD0CAB481616DEACF90CBA0EC88DDAB3BCBF04305F100A92F106A2000DB3896489F20

Function 0093CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f824e4241730826b5c94aa1b0732e74c573b78b3094e710b5c3189142ff6de54
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 55020CB1E006199BDF24CFA9C8806ADBBF5EF88314F258569E819F7384D731AD418F94

Function 009868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00986918
FindClose.KERNEL32(00000000), ref: 00986961

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d53fa2981546329376314b080aef558a52c105d0f7e7cae6db73e203206d1c6f
Instruction ID: 9effdf817e7b231d795c16a86485b5a8ec0db5979f219673229fe8ea927874b7
Opcode Fuzzy Hash: d53fa2981546329376314b080aef558a52c105d0f7e7cae6db73e203206d1c6f
Instruction Fuzzy Hash: 38118E716142019FC710DF69D488A16BBE5EF85328F14C699E8698F7A2CB31EC45CB91

Function 009837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00994891,?,?,00000035,?), ref: 009837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00994891,?,?,00000035,?), ref: 009837F4

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d3bc13fe642af70ac0b607bd6e9f575c526da203c4a6d9153dbe3ff6ebcce47a
Instruction ID: 851939ab520329b052757b1b6051af45e2f4c254d1ccdec25442b94fce182312
Opcode Fuzzy Hash: d3bc13fe642af70ac0b607bd6e9f575c526da203c4a6d9153dbe3ff6ebcce47a
Instruction Fuzzy Hash: 03F0E5B07042292AEB2067668C4DFEB3AAEEFC5B61F004175F909E2281DA60D944C7F0

Function 0097B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0097B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0097B270

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 27d4c68b74409823391d0a85fc7af13f8fdd82de0364e262381b973cd22ae5f6
Instruction ID: ff86473a4d392a6777a61617cdb783b9c7733a94996633bed74527276c0c3017
Opcode Fuzzy Hash: 27d4c68b74409823391d0a85fc7af13f8fdd82de0364e262381b973cd22ae5f6
Instruction Fuzzy Hash: 3AF01D7181424DABDB059FA0C805BBE7BB4FF05309F008409F965A9192C37996119F94

Function 009710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009711FC), ref: 009710D4
CloseHandle.KERNEL32(?,?,009711FC), ref: 009710E9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c092e9483ff8f075fbac2f07cb4a0b073c55662424c9a05d5e4955f4b230294b
Instruction ID: e01ae2bcfa6bd144c4326939580dba60faeae2c3c42ce05d2df96b06e7f8fd1b
Opcode Fuzzy Hash: c092e9483ff8f075fbac2f07cb4a0b073c55662424c9a05d5e4955f4b230294b
Instruction Fuzzy Hash: 63E04F72018610AFEB252B11FC05F7377A9EF04310F10882DF4A6844B5DB626C90EB50

Function 0091CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00960C40

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 004e26b3a961e1f85650b8cee2c1551d9bdd01c8ef91d6356e16f5818ce72aac
Instruction ID: 13025401be11d6d212d87b88c05bee17f6da247d5e05eeab7ac364277f75dbaf
Opcode Fuzzy Hash: 004e26b3a961e1f85650b8cee2c1551d9bdd01c8ef91d6356e16f5818ce72aac
Instruction Fuzzy Hash: 69329EB4A4021CDBCF14DF94D981BEEB7B9FF84304F148459E806AB292D775AD86CB50

Function 0094676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00946766,?,?,00000008,?,?,0094FEFE,00000000), ref: 00946998

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c5d9c22b948aa37dd36d2e5386514726bc7d66c0edbe289e19f70f028d37fae5
Instruction ID: 6e7136ee628ecde3389b04da3ea888914e4205d24453f87a6318bd5d4975354d
Opcode Fuzzy Hash: c5d9c22b948aa37dd36d2e5386514726bc7d66c0edbe289e19f70f028d37fae5
Instruction Fuzzy Hash: 80B14CB1610609DFD719CF28C48AF657BE0FF46368F258658E899CF2A2C335E991CB41

Function 0092B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0096851F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e8ad078baa23a8dfd3e9bc75e71434db9882e0cc57f4d3eb698c26e178801110
Instruction ID: c2589b8c999bda6c43e650b4ac298b3595696daf4f71b1d759c3414845751a24
Opcode Fuzzy Hash: e8ad078baa23a8dfd3e9bc75e71434db9882e0cc57f4d3eb698c26e178801110
Instruction Fuzzy Hash: 72123D71D002299BDB24DF58D890BEEB7F5FF48710F14819AE849EB255EB349A81CB90

Function 0098EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0098EABD

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6685c02cf754d4289f390b223e831b5f0694a4a34762a7c568d0cfe05c2e1057
Instruction ID: 563b5d1bc2402bd42688f6e40ef0df4aaadf4165dab62e585e0c72cd328519e3
Opcode Fuzzy Hash: 6685c02cf754d4289f390b223e831b5f0694a4a34762a7c568d0cfe05c2e1057
Instruction Fuzzy Hash: 2EE01A752102049FC710EF59D814E9AB7E9AF98760F008416FC49CB351DA74E8818B90

Function 009309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009303EE), ref: 009309DA

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6534d3d321f49b09e861c29bd66ab3e372fdc6cc417c54422cda2cda33dec8eb
Instruction ID: b462555d463a9e8412e1ae824d45db344b415d4bd4b24870454653dc14d4d6f9
Opcode Fuzzy Hash: 6534d3d321f49b09e861c29bd66ab3e372fdc6cc417c54422cda2cda33dec8eb
Instruction Fuzzy Hash:

Function 0093781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0093798B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5b591a15eef6fa57032077cbb1ca6837219f4bb507d64a89c22f9a5379f52f13
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CD5135E160C7456BDB3885E888DEBBFE3CD9B46340F180A09E986D7282C619DE41DF56

Function 00946DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96dbb70bcb9cb7f5db562f12b68ab4b460073194c25ade1285f6e4b5024aae5b
Instruction ID: 4ba962214ceaec7495db8165cdd95537aa39a4d54fe5b23b24e1ac55959b6763
Opcode Fuzzy Hash: 96dbb70bcb9cb7f5db562f12b68ab4b460073194c25ade1285f6e4b5024aae5b
Instruction Fuzzy Hash: FA322122D2DF054DDB239635C922336A68DAFB73D5F15C737F81AB5AA9EB28C4835100

Function 0092CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc93718018323dceacb0d7405aa49ddf4415f827f0a75e9f17385238985274a
Instruction ID: 1465acf323519c6c14dde12e9a7b9c6015225bcfa7099111d98b9be9dfed9467
Opcode Fuzzy Hash: 2fc93718018323dceacb0d7405aa49ddf4415f827f0a75e9f17385238985274a
Instruction Fuzzy Hash: FE3237F1A041158BCF28CF68D49467D7BA9EB45301F28896BF8CADB395D238DE81DB41

Function 00917920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52f89a787260bf673df14e1ba05c34abdb568aca7ba144ae17149cc8cb1e305
Instruction ID: 70d012bc3e9ed3047f24933cab62014ca1cf7f34043280a399a6a50338478e07
Opcode Fuzzy Hash: c52f89a787260bf673df14e1ba05c34abdb568aca7ba144ae17149cc8cb1e305
Instruction Fuzzy Hash: 0422CEB0A0460ADFDF14CFA5D891AEEF3B5FF44300F214529E816A7291EB39AD95CB50

Function 009191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b283b295d87fcfabc75d32b68fba9d7604fcc13dbf59e1a1f788877cbfa53e3
Instruction ID: d72b22b9b952f0e496eccf5180df71118e6c58b826503aa414f77dbf2c2698bb
Opcode Fuzzy Hash: 0b283b295d87fcfabc75d32b68fba9d7604fcc13dbf59e1a1f788877cbfa53e3
Instruction Fuzzy Hash: 2402F5B1E0020AEBDB04DF65D891BAEB7B5FF44300F108569E816DB290EB35EE55CB81

Function 00949EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5144c672897307e9ec23867936c7d884148e2d648239363209974fe5ca265e72
Instruction ID: 00447b25953a6da98ab472763e3e4b4010249be71d28dd7accc856df2d8be03a
Opcode Fuzzy Hash: 5144c672897307e9ec23867936c7d884148e2d648239363209974fe5ca265e72
Instruction Fuzzy Hash: C0B1E020D3AF414DC22396398935337B69CAFBB6E5F91D71BFC2674D22EB2286835140

Function 00931C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 20c18367f5dea1671d5a969c9eb3b883792fb6e67da7dc9ef13cb499d4ea01f4
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 56918A731080A34ADB6D463E857407EFFE55A923A1B1A0B9DD4F2CB1E5FE24C954DE20

Function 00931F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: a35f33301cf17e3668c30a49df42705ca9590c28db9a6a99dcb83bfcbd6a190b
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: E991777220D0A349DB6D437D857403EFFE55A923A1B1A079DD4F2CB1D5EE24C958EE20

Function 009319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: fba56d1a74e0cced197f152f98522a888e9be13cac59b81451e846c306b6ccfd
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 309187722090E34EDB2D427A957403EFFF55A923A2B1A079ED4F2CA1E5FE14C564DE20

Function 00937A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc56f4f0bd92d234b406cb337993577b06d442160eb2df57b0f26f4a998ed133
Instruction ID: b86b0e0cab288f3da3e99383bcd737d3cade482485190a0c8df72ac78f6364df
Opcode Fuzzy Hash: bc56f4f0bd92d234b406cb337993577b06d442160eb2df57b0f26f4a998ed133
Instruction Fuzzy Hash: 376148F120874966DE749AE88895BBFE3FDDF82700F140D1AF882DB281D6159E42CF56

Function 00937CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac77b9574187680ca21b56325d9995bf9e672a51f5c3a39d5da6aa10a3db3c26
Instruction ID: d5ab43a34b8ccc7ca59fc6675eea9c026b5c3c3d303c0dd724eac1f8d8e97df9
Opcode Fuzzy Hash: ac77b9574187680ca21b56325d9995bf9e672a51f5c3a39d5da6aa10a3db3c26
Instruction Fuzzy Hash: 9F6169F120C70966DE389AE88896BBFE39CDF82704F100D59F853DB2D1DA169D42CE55

Function 00931706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e158e4d578d06cdbfea2620e7a989308b2de5eb0de8f9d9c8db86dde7d7d8909
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 188187366080A349DB6D863A853453EFFE55A923A1B1E079ED4F3CB1E1EE24C954DE20

Function 00982046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc95dfc629d3c6881cd760e975df645a88ecfc95090a83a4e574c43495051cb
Instruction ID: 39708e6cbd7e346dc591c0a46aff8ad7b739654aefedd0900fc640802cfd08a4
Opcode Fuzzy Hash: bbc95dfc629d3c6881cd760e975df645a88ecfc95090a83a4e574c43495051cb
Instruction Fuzzy Hash: C721D8326206158BDB28CF79C81267A73E9A794310F148A2EE4A7C73D1DE75AD04DB80

Function 00992ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00992B30
DeleteObject.GDI32(00000000), ref: 00992B43
DestroyWindow.USER32 ref: 00992B52
GetDesktopWindow.USER32 ref: 00992B6D
GetWindowRect.USER32(00000000), ref: 00992B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00992CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00992CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992CF8
GetClientRect.USER32(00000000,?), ref: 00992D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00992D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D80
GlobalLock.KERNEL32(00000000), ref: 00992D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D98
GlobalUnlock.KERNEL32(00000000), ref: 00992DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992DA8
GlobalFree.KERNEL32(00000000), ref: 00992DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,009AFC38,00000000), ref: 00992DDB
GlobalFree.KERNEL32(00000000), ref: 00992DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00992E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00992E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0099303F

Strings

static, xrefs: 00992D3A, 00992E91
, xrefs: 00992FC5
AutoIt v3, xrefs: 00992CF2
DISPLAY, xrefs: 00992EA2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 979f2febdecef3b32da5c15c24e77b2755ce86eb37e7bd31fbd54e45e32f3e2c
Instruction ID: 27078225e1f466fcfd3779dfaec5fae10a9236f35c85d3d81f8a8399f675840f
Opcode Fuzzy Hash: 979f2febdecef3b32da5c15c24e77b2755ce86eb37e7bd31fbd54e45e32f3e2c
Instruction Fuzzy Hash: 070270B1610209AFDB14DF68CC89EAE7BB9EF49310F048158F915AB2A1DB74DD41DFA0

Function 009A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009A712F
GetSysColorBrush.USER32(0000000F), ref: 009A7160
GetSysColor.USER32(0000000F), ref: 009A716C
SetBkColor.GDI32(?,000000FF), ref: 009A7186
SelectObject.GDI32(?,?), ref: 009A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009A71C0
GetSysColor.USER32(00000010), ref: 009A71C8
CreateSolidBrush.GDI32(00000000), ref: 009A71CF
FrameRect.USER32(?,?,00000000), ref: 009A71DE
DeleteObject.GDI32(00000000), ref: 009A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009A7230
FillRect.USER32(?,?,?), ref: 009A7262
GetWindowLongW.USER32(?,000000F0), ref: 009A7284

Part of subcall function 009A73E8: GetSysColor.USER32(00000012), ref: 009A7421
Part of subcall function 009A73E8: SetTextColor.GDI32(?,?), ref: 009A7425
Part of subcall function 009A73E8: GetSysColorBrush.USER32(0000000F), ref: 009A743B
Part of subcall function 009A73E8: GetSysColor.USER32(0000000F), ref: 009A7446
Part of subcall function 009A73E8: GetSysColor.USER32(00000011), ref: 009A7463
Part of subcall function 009A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009A7471
Part of subcall function 009A73E8: SelectObject.GDI32(?,00000000), ref: 009A7482
Part of subcall function 009A73E8: SetBkColor.GDI32(?,00000000), ref: 009A748B
Part of subcall function 009A73E8: SelectObject.GDI32(?,?), ref: 009A7498
Part of subcall function 009A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009A74B7
Part of subcall function 009A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009A74CE
Part of subcall function 009A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009A74DB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a1a1cc80aeb081b75518ebe66dc3a887260064b305d458b7628e03ac61279b3e
Instruction ID: 3aada598758d7d9b573edfbb8f81b37bf129c8268c24fd1b59199a353578b33a
Opcode Fuzzy Hash: a1a1cc80aeb081b75518ebe66dc3a887260064b305d458b7628e03ac61279b3e
Instruction Fuzzy Hash: 11A1B3B251C301AFDB409F60DC49A6BBBE9FF4A320F101A19F9629A1E1D734E944DBD1

Function 00928D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00928E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00966AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00966AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00966F43

Part of subcall function 00928F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00928BE8,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 00928FC5

SendMessageW.USER32(?,00001053), ref: 00966F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00966F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00966FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00966FB7

Strings

0, xrefs: 00966DCF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ce2a58a9511b0e4492185bc303c237a9f765373f9de1745596a68a1d174c594d
Instruction ID: a29c59f859d29ce2149b55c4c5cf46ab4d363503bcf0d6571f2e798433a82047
Opcode Fuzzy Hash: ce2a58a9511b0e4492185bc303c237a9f765373f9de1745596a68a1d174c594d
Instruction Fuzzy Hash: 2012BE70609251EFDB25DF24E894BAAB7E9FF49300F144469F4898B262CB32EC51DF91

Function 00992711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0099273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0099286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00992900
GetClientRect.USER32(00000000,?), ref: 0099290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00992955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00992964
GetStockObject.GDI32(00000011), ref: 00992974
SelectObject.GDI32(00000000,00000000), ref: 00992978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00992988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00992991
DeleteDC.GDI32(00000000), ref: 0099299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00992A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00992A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00992A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00992A77
GetStockObject.GDI32(00000011), ref: 00992A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00992A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00992A97

Strings

msctls_progress32, xrefs: 00992A13
static, xrefs: 0099294F, 00992A71
AutoIt v3, xrefs: 009928F8
DISPLAY, xrefs: 0099295A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 92592a53817a652348bab2ba0342939310fffdfa319e07ea289db5ecf54ad190
Instruction ID: 188444238a5e317b52f367461b480277c6958968abc9728e1ef3260faadf4522
Opcode Fuzzy Hash: 92592a53817a652348bab2ba0342939310fffdfa319e07ea289db5ecf54ad190
Instruction Fuzzy Hash: 3CB14AB1A50219BFEB14DFA8CC89FAE7BA9EF49710F004115F915EB290D774AD40DBA0

Function 00984ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00984AED
GetDriveTypeW.KERNEL32(?,009ACB68,?,\\.\,009ACC08), ref: 00984BCA
SetErrorMode.KERNEL32(00000000,009ACB68,?,\\.\,009ACC08), ref: 00984D36

Strings

CDROM, xrefs: 00984BFB
RAID, xrefs: 00984CBB
SATA, xrefs: 00984CD0
SCSI, xrefs: 00984C8A
FileBackedVirtual, xrefs: 00984CEC
ATA, xrefs: 00984C98
USB, xrefs: 00984CB4
Removable, xrefs: 00984C10, 00984C15
Network, xrefs: 00984C02
RAMDisk, xrefs: 00984BF4
Fixed, xrefs: 00984C09
Fibre, xrefs: 00984CAD
PhysicalDrive, xrefs: 00984B76
MMC, xrefs: 00984CDE
SSD, xrefs: 00984C4A
SAS, xrefs: 00984CC9
ATAPI, xrefs: 00984C91
1394, xrefs: 00984C9F
Virtual, xrefs: 00984CE5
\\.\, xrefs: 00984B3F
Unknown, xrefs: 00984BED, 00984C83
iSCSI, xrefs: 00984CC2
SSA, xrefs: 00984CA6

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3918c94b5456a36525c47cb0f02b09924ad0ffa3e497e99a7eeebe7a1cc17d32
Instruction ID: d3faa60eb9e67963f25b04a10b1d746119aee627e7b697640dfa0c8e479a7c66
Opcode Fuzzy Hash: 3918c94b5456a36525c47cb0f02b09924ad0ffa3e497e99a7eeebe7a1cc17d32
Instruction Fuzzy Hash: 5361D63174520B9BCB14FF24CA81AECB7B9AF85304B24C416F886AB391DB79ED41DB41

Function 009A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009A7421
SetTextColor.GDI32(?,?), ref: 009A7425
GetSysColorBrush.USER32(0000000F), ref: 009A743B
GetSysColor.USER32(0000000F), ref: 009A7446
CreateSolidBrush.GDI32(?), ref: 009A744B
GetSysColor.USER32(00000011), ref: 009A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009A7471
SelectObject.GDI32(?,00000000), ref: 009A7482
SetBkColor.GDI32(?,00000000), ref: 009A748B
SelectObject.GDI32(?,?), ref: 009A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009A7572
DrawFocusRect.USER32(?,?), ref: 009A757D
GetSysColor.USER32(00000011), ref: 009A758E
SetTextColor.GDI32(?,00000000), ref: 009A7596
DrawTextW.USER32(?,009A70F5,000000FF,?,00000000), ref: 009A75A8
SelectObject.GDI32(?,?), ref: 009A75BF
DeleteObject.GDI32(?), ref: 009A75CA
SelectObject.GDI32(?,?), ref: 009A75D0
DeleteObject.GDI32(?), ref: 009A75D5
SetTextColor.GDI32(?,?), ref: 009A75DB
SetBkColor.GDI32(?,?), ref: 009A75E5

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ecbc2093e82995d9c46870992ca34f85518c71a8f37a47ad8e5b15d1fa2f4b1e
Instruction ID: d98f0dd11104a239e85dc5f1aa9a2a472df8a3471d833621f3bb41faced7a6d6
Opcode Fuzzy Hash: ecbc2093e82995d9c46870992ca34f85518c71a8f37a47ad8e5b15d1fa2f4b1e
Instruction Fuzzy Hash: 03615272D08218AFDF019FA4DC49EAEBFB9EF0A320F114525F915AB2A1D7749940DBD0

Function 009A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009A1128
GetDesktopWindow.USER32 ref: 009A113D
GetWindowRect.USER32(00000000), ref: 009A1144
GetWindowLongW.USER32(?,000000F0), ref: 009A1199
DestroyWindow.USER32(?), ref: 009A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009A1245
IsWindowVisible.USER32(00000000), ref: 009A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009A12D0
GetWindowRect.USER32(00000000,?), ref: 009A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009A130E
GetMonitorInfoW.USER32(00000000,?), ref: 009A1328
CopyRect.USER32(?,?), ref: 009A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009A13AA

Strings

tooltips_class32, xrefs: 009A11E6
(, xrefs: 009A131B
0, xrefs: 009A10D3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2ac9f4a7a94d705fdfa1a1220b8438ace1ee6ca074c80fda00def394d338c92e
Instruction ID: 936c6e1bcc653f739e6df92a35883797ebcd3b62491a38d7787d10bf195f19f8
Opcode Fuzzy Hash: 2ac9f4a7a94d705fdfa1a1220b8438ace1ee6ca074c80fda00def394d338c92e
Instruction Fuzzy Hash: D1B18D71608341AFDB14DF64C884BABBBE5FF85350F00891DF9999B2A1DB31E845CB91

Function 009A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009A02E5
_wcslen.LIBCMT ref: 009A031F
_wcslen.LIBCMT ref: 009A0389
_wcslen.LIBCMT ref: 009A03F1
_wcslen.LIBCMT ref: 009A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009A0504

Part of subcall function 0092F9F2: _wcslen.LIBCMT ref: 0092F9FD

Part of subcall function 0097223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00972258
Part of subcall function 0097223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0097228A

Strings

SELECTALL, xrefs: 009A0515
GETTEXT, xrefs: 009A03EC, 009A0407
SELECT, xrefs: 009A0548
ISSELECTED, xrefs: 009A04DD
GETSUBITEMCOUNT, xrefs: 009A0384, 009A039F
SELECTCLEAR, xrefs: 009A052D
SELECTINVERT, xrefs: 009A057E
GETSELECTED, xrefs: 009A05E1
GETSELECTEDCOUNT, xrefs: 009A0470, 009A048B
VIEWCHANGE, xrefs: 009A0675
GETITEMCOUNT, xrefs: 009A0316, 009A0337
DESELECT, xrefs: 009A059C
FINDITEM, xrefs: 009A0627

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b444cf20e262258cf3e30f451b5a6a6527089571a65f2d8573b3f817d77ca4ee
Instruction ID: cb2bf8f1f4a830bf52991ded02b4af5cc347d31641a191c5b8fffee2e3b0aaa3
Opcode Fuzzy Hash: b444cf20e262258cf3e30f451b5a6a6527089571a65f2d8573b3f817d77ca4ee
Instruction Fuzzy Hash: C1E1BF312183018FCB14DF24C550A6AB3E6BFC9718F548A6DF8969B3A5EB34ED45CB81

Function 00928891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00928968
GetSystemMetrics.USER32(00000007), ref: 00928970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0092899B
GetSystemMetrics.USER32(00000008), ref: 009289A3
GetSystemMetrics.USER32(00000004), ref: 009289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00928A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00928A3C
GetClientRect.USER32(00000000,000000FF), ref: 00928A5A
GetStockObject.GDI32(00000011), ref: 00928A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00928A81

Part of subcall function 0092912D: GetCursorPos.USER32(?), ref: 00929141
Part of subcall function 0092912D: ScreenToClient.USER32(00000000,?), ref: 0092915E
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000001), ref: 00929183
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000002), ref: 0092919D

SetTimer.USER32(00000000,00000000,00000028,009290FC), ref: 00928AA8

Strings

AutoIt v3 GUI, xrefs: 00928A20

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d81b385c11b489658fd363a30b913c3880c38606918dcca3fd6765cc07a34e52
Instruction ID: d1ca2628670456bea7a8c9d75beb955933709ae3cb52cf161999205d657f5889
Opcode Fuzzy Hash: d81b385c11b489658fd363a30b913c3880c38606918dcca3fd6765cc07a34e52
Instruction Fuzzy Hash: 5EB18E75A0421AAFDB14DFA8DD85BAE7BB5FF48314F104129FA15AB290DB34E840DB90

Function 00970D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00971114
Part of subcall function 009710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971120
Part of subcall function 009710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 0097112F
Part of subcall function 009710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971136
Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0097114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00970DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00970E29
GetLengthSid.ADVAPI32(?), ref: 00970E40
GetAce.ADVAPI32(?,00000000,?), ref: 00970E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00970E96
GetLengthSid.ADVAPI32(?), ref: 00970EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00970EB5
HeapAlloc.KERNEL32(00000000), ref: 00970EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00970EDD
CopySid.ADVAPI32(00000000), ref: 00970EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00970F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00970F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00970F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970F6E
HeapFree.KERNEL32(00000000), ref: 00970F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970F7E
HeapFree.KERNEL32(00000000), ref: 00970F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970F8E
HeapFree.KERNEL32(00000000), ref: 00970F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00970FA1
HeapFree.KERNEL32(00000000), ref: 00970FA8

Part of subcall function 00971193: GetProcessHeap.KERNEL32(00000008,00970BB1,?,00000000,?,00970BB1,?), ref: 009711A1
Part of subcall function 00971193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00970BB1,?), ref: 009711A8
Part of subcall function 00971193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00970BB1,?), ref: 009711B7

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c7891e2b2f80a110f8456c36454bbdcb3d77fa4d599802b0b432a29303f0da4d
Instruction ID: c8ed15ceb58ec05a9601c07ff840a46dc84e05ddb00fe195eb48311181616de6
Opcode Fuzzy Hash: c7891e2b2f80a110f8456c36454bbdcb3d77fa4d599802b0b432a29303f0da4d
Instruction Fuzzy Hash: 4B714CB290421AEBDF20DFA4DC45FAEBBBCBF45310F148115F919EA191D7719905CBA0

Function 0099C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009ACC08,00000000,?,00000000,?,?), ref: 0099C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0099C5A4
_wcslen.LIBCMT ref: 0099C5F4
_wcslen.LIBCMT ref: 0099C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0099C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0099C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0099C84D
RegCloseKey.ADVAPI32(?), ref: 0099C881
RegCloseKey.ADVAPI32(00000000), ref: 0099C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0099C960

Strings

REG_DWORD, xrefs: 0099C804
REG_BINARY, xrefs: 0099C913
REG_EXPAND_SZ, xrefs: 0099C5CD
REG_MULTI_SZ, xrefs: 0099C6F5
REG_QWORD, xrefs: 0099C8C3
REG_SZ, xrefs: 0099C644

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: da07967bbe5d2a85e7ec14bd70443ba75f14416e65fd24b23f345d6a4ebe1e29
Instruction ID: 645d7f9f6dc7ea3504f13b1bf2e0aac3aa68b99561dbb9fba66b2214fe04b3d4
Opcode Fuzzy Hash: da07967bbe5d2a85e7ec14bd70443ba75f14416e65fd24b23f345d6a4ebe1e29
Instruction Fuzzy Hash: D01247757082019FDB14DF18C891B6AB7E5EF89714F05889DF88A9B3A2DB31ED41CB81

Function 009A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009A09C6
_wcslen.LIBCMT ref: 009A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009A0A54
_wcslen.LIBCMT ref: 009A0A8A
_wcslen.LIBCMT ref: 009A0B06
_wcslen.LIBCMT ref: 009A0B81

Part of subcall function 0092F9F2: _wcslen.LIBCMT ref: 0092F9FD

Part of subcall function 00972BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00972BFA

Strings

COLLAPSE, xrefs: 009A0B01, 009A0B1C
ISCHECKED, xrefs: 009A0CE1
GETSELECTED, xrefs: 009A0C4E
SELECT, xrefs: 009A0D11
GETTEXT, xrefs: 009A0C97
GETTOTALCOUNT, xrefs: 009A09F2, 009A0A17
EXISTS, xrefs: 009A0B7C, 009A0B97
GETITEMCOUNT, xrefs: 009A0C1E
CHECK, xrefs: 009A0A85, 009A0AA0
EXPAND, xrefs: 009A0BF8
UNCHECK, xrefs: 009A0D3E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c58f4b36f8964063e096a6d9b7e61b7429ab341c96745d8ee1c76b40005a2fea
Instruction ID: 3cfc2f3b879db6d59cb2376bf239c738b2b57443dc9333736f6a84fadc63a47c
Opcode Fuzzy Hash: c58f4b36f8964063e096a6d9b7e61b7429ab341c96745d8ee1c76b40005a2fea
Instruction Fuzzy Hash: 23E1BC322083018FCB14DF64C450A6AB7E6BFDA314F14895DF89A9B3A2D731ED85CB81

Function 0099C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
_wcslen.LIBCMT ref: 0099C9F1
_wcslen.LIBCMT ref: 0099CA68
_wcslen.LIBCMT ref: 0099CA9E
_wcslen.LIBCMT ref: 0099CAF9
_wcslen.LIBCMT ref: 0099CB2F
_wcslen.LIBCMT ref: 0099CB7F

Strings

HKEY_USERS, xrefs: 0099CBDF
HKEY_CLASSES_ROOT, xrefs: 0099CAF3, 0099CAF8
HKCR, xrefs: 0099CB29, 0099CB2E
HKEY_CURRENT_USER, xrefs: 0099CBBD
HKCC, xrefs: 0099CBAC
HKLM, xrefs: 0099CA98, 0099CA9D
HKEY_CURRENT_CONFIG, xrefs: 0099CB79, 0099CB7E
HKU, xrefs: 0099CBF0
HKEY_LOCAL_MACHINE, xrefs: 0099CA62, 0099CA67
HKCU, xrefs: 0099CBCE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f366a8c3720aca052eb4b3f517e69b78dd6aa090d113c6b432b0b6abe285a5d5
Instruction ID: 0bad5aeb862e279dad7ce25bcd3fd4c15d360639572ff4899af679d0cdc9ee92
Opcode Fuzzy Hash: f366a8c3720aca052eb4b3f517e69b78dd6aa090d113c6b432b0b6abe285a5d5
Instruction Fuzzy Hash: FF7129B260016A8BCF20DE7CCD516BF3399AFA0764F554925FC569B284F635DD80C3A0

Function 009A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009A835A
_wcslen.LIBCMT ref: 009A836E
_wcslen.LIBCMT ref: 009A8391
_wcslen.LIBCMT ref: 009A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009A5BF2), ref: 009A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009A8501
FreeLibrary.KERNEL32(?), ref: 009A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009A851D
DestroyIcon.USER32(?,?,?,?,?,009A5BF2), ref: 009A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009A8555

Strings

.exe, xrefs: 009A8388
.dll, xrefs: 009A83AB
.icl, xrefs: 009A8368

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: be32e2f509ac9aa71fe1877ac68c4a1af7cbeb8dff71998fc078411c823c98cd
Instruction ID: 5737da7665af7372747b4d30259a47e2023422b07843b4bfb4f47276014125cc
Opcode Fuzzy Hash: be32e2f509ac9aa71fe1877ac68c4a1af7cbeb8dff71998fc078411c823c98cd
Instruction Fuzzy Hash: EE61CF71944209BEEB14DF64CC45BBF77ACBF49B21F104509F815DA1D1EB74A980DBA0

Function 00917778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00917847
#pragma compile, xrefs: 009177D3
#OnAutoItStartRegister, xrefs: 00917817
Cannot parse #include, xrefs: 00955279
#requireadmin, xrefs: 009177FF
#cs, xrefs: 00917873, 009178C5
#notrayicon, xrefs: 009177E7
#comments-start, xrefs: 0091785F, 009178B1
", xrefs: 00955153
Unterminated group of comments, xrefs: 0095528C
#ce, xrefs: 009178ED
#comments-end, xrefs: 009178D9
Bad directive syntax error, xrefs: 0095519A
', xrefs: 00955169
#include-once, xrefs: 0091782F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 9a9b5d9826d3fb030de7c6c2a673e2e3e449f0f748a423aa2901d211d14c1ec5
Instruction ID: 1f5509760657f94be3c74ae26c8a79464c5a8eb9025c4acda5787fc94f86eec3
Opcode Fuzzy Hash: 9a9b5d9826d3fb030de7c6c2a673e2e3e449f0f748a423aa2901d211d14c1ec5
Instruction Fuzzy Hash: 1281F57170460AABDB20AFA1DC52FEF7BB8AF95304F054424FC05AA196EB70D985C7A1

Function 00983E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00983EF8
_wcslen.LIBCMT ref: 00983F03
_wcslen.LIBCMT ref: 00983F5A
_wcslen.LIBCMT ref: 00983F98
GetDriveTypeW.KERNEL32(?), ref: 00983FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0098401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00984059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00984087

Strings

close cd wait, xrefs: 00984072
open , xrefs: 00983FE5
type cdaudio alias cd wait, xrefs: 00984001
open, xrefs: 00983F54, 00983F59
wait, xrefs: 00984044
set cd door , xrefs: 00984028
closed, xrefs: 00983F08, 00983F2D, 00983F46, 00983F7E, 00983F97
close, xrefs: 00983EFE, 00983F18

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: a55b828efab58c7fba977038889b843cbfb97cbcacb17d87a90133e96742db93
Instruction ID: ed071df062bbb9065ee16a85be70c1b487fdbd23d89af32e008549ec608f524e
Opcode Fuzzy Hash: a55b828efab58c7fba977038889b843cbfb97cbcacb17d87a90133e96742db93
Instruction Fuzzy Hash: 0271AE71A042069FC310EF34C880AAAB7F8EF94758F00892DF99697351EB35ED45CB91

Function 00975A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00975A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00975A40
SetWindowTextW.USER32(?,?), ref: 00975A57
GetDlgItem.USER32(?,000003EA), ref: 00975A6C
SetWindowTextW.USER32(00000000,?), ref: 00975A72
GetDlgItem.USER32(?,000003E9), ref: 00975A82
SetWindowTextW.USER32(00000000,?), ref: 00975A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00975AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00975AC3
GetWindowRect.USER32(?,?), ref: 00975ACC
_wcslen.LIBCMT ref: 00975B33
SetWindowTextW.USER32(?,?), ref: 00975B6F
GetDesktopWindow.USER32 ref: 00975B75
GetWindowRect.USER32(00000000), ref: 00975B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00975BD3
GetClientRect.USER32(?,?), ref: 00975BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00975C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00975C2F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: bd45999479081990b20d343f627c7d1b553a90e5816f42883a006413bdea6c88
Instruction ID: 25168d56a426f179b4c0dab27e8bf39ce65620937c559c89731e7f931ac0d0f8
Opcode Fuzzy Hash: bd45999479081990b20d343f627c7d1b553a90e5816f42883a006413bdea6c88
Instruction Fuzzy Hash: 26718072900B09EFDB20DFA8CE85B6EBBF9FF48704F114918E146A65A0D7B4E944CB50

Function 0098FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0098FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0098FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0098FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0098FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0098FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0098FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0098FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0098FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0098FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0098FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0098FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0098FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0098FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0098FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0098FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0098FECC
GetCursorInfo.USER32(?), ref: 0098FEDC
GetLastError.KERNEL32 ref: 0098FF1E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0e72079a6159d07417eedd9fd1c8be44f1c526c75361795b9564582d5b253b82
Instruction ID: a640137027b193ea0a98302c11b81d2d657764c8e9da08fdbd85db0a7d561be9
Opcode Fuzzy Hash: 0e72079a6159d07417eedd9fd1c8be44f1c526c75361795b9564582d5b253b82
Instruction Fuzzy Hash: 874131B0D483196ADB109FBA8C8985EBFE8FF44754B50452AE119EB281DB78A9018F91

Function 009300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009300C6

Part of subcall function 009300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(009E070C,00000FA0,9CA81C21,?,?,?,?,009523B3,000000FF), ref: 0093011C
Part of subcall function 009300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009523B3,000000FF), ref: 00930127
Part of subcall function 009300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009523B3,000000FF), ref: 00930138
Part of subcall function 009300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0093014E
Part of subcall function 009300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0093015C
Part of subcall function 009300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0093016A
Part of subcall function 009300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00930195
Part of subcall function 009300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009301A0

___scrt_fastfail.LIBCMT ref: 009300E7

Part of subcall function 009300A3: __onexit.LIBCMT ref: 009300A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00930122
WakeAllConditionVariable, xrefs: 00930162
kernel32.dll, xrefs: 00930133
SleepConditionVariableCS, xrefs: 00930154
InitializeConditionVariable, xrefs: 00930148

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b05500dec267f2a0525b6a7d165a5ef40b77afc7dca21f899dd40b86ab684308
Instruction ID: eb909374910965865d901c59ba3613aeea4abb28efae33aa9dbe9446b52762b2
Opcode Fuzzy Hash: b05500dec267f2a0525b6a7d165a5ef40b77afc7dca21f899dd40b86ab684308
Instruction Fuzzy Hash: 4C21D772A5D7116FD7215BE4AC69B2A77A8EFC6B55F000135F801AB2D1DBB49C009ED0

Function 009730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0097318D
_wcslen.LIBCMT ref: 009731F8

Strings

CLASS, xrefs: 00973188, 009731A5
CLASSNN, xrefs: 009731F3, 00973204
NAME, xrefs: 00973335, 00973346
INSTANCE, xrefs: 00973453
REGEXPCLASS, xrefs: 00973255, 00973266
TEXT, xrefs: 0097347C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: e3043a6806a6e7f5cf5dea9a35faa629f98256001fcf1a2317864af4c858c06b
Instruction ID: e08864e837611a93351563ed39b6ec3589e78406bab279e2a29c61599f67dc3c
Opcode Fuzzy Hash: e3043a6806a6e7f5cf5dea9a35faa629f98256001fcf1a2317864af4c858c06b
Instruction Fuzzy Hash: CEE1E633A00516ABCB289F74C4517EEBBB4BF54710F55C12AE46EF7250DB30AE85A790

Function 009844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009ACC08), ref: 00984527
_wcslen.LIBCMT ref: 0098453B
_wcslen.LIBCMT ref: 00984599
_wcslen.LIBCMT ref: 009845F4
_wcslen.LIBCMT ref: 0098463F
_wcslen.LIBCMT ref: 009846A7

Part of subcall function 0092F9F2: _wcslen.LIBCMT ref: 0092F9FD

GetDriveTypeW.KERNEL32(?,009D6BF0,00000061), ref: 00984743

Strings

unknown, xrefs: 00984708
ramdisk, xrefs: 009846F1
network, xrefs: 0098469D, 009846A2
removable, xrefs: 009845EA, 009845EF
cdrom, xrefs: 0098458F, 00984594
all, xrefs: 00984531, 00984536
fixed, xrefs: 00984635, 0098463A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 5a3276187ddf0bd08d5815b575f0acb0c6f84244faf708b8ed0e64efe095917f
Instruction ID: 30acea8ff3ffafdf1a2bd7be95ce3c9d49a66f48f6c0e880747921f2cde1326a
Opcode Fuzzy Hash: 5a3276187ddf0bd08d5815b575f0acb0c6f84244faf708b8ed0e64efe095917f
Instruction Fuzzy Hash: 25B1AE716083029FC710EF28C890A6EB7E9AFE5764F50891DF496C7391E734D985CBA2

Function 00993FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009ACC08), ref: 009940BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009940CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,009ACC08), ref: 009940F2
FreeLibrary.KERNEL32(00000000,?,009ACC08), ref: 0099413E
StringFromGUID2.OLE32(?,?,00000028,?,009ACC08), ref: 009941A8
SysFreeString.OLEAUT32(00000009), ref: 00994262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009942C8
SysFreeString.OLEAUT32(?), ref: 009942F2

Strings

GetModuleHandleExW, xrefs: 009940C7
kernel32.dll, xrefs: 009940B6

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: f4d93fa54d72194766724aa9850a68cdbe3877980f68b90693a4920462986550
Instruction ID: 40a55501e74cb1722848305f9474e64cae864f445f094bdab7d6919fe67228bc
Opcode Fuzzy Hash: f4d93fa54d72194766724aa9850a68cdbe3877980f68b90693a4920462986550
Instruction Fuzzy Hash: F9122A75A00119EFDF15CF98C884EAEB7B9FF49314F248098E9059B261D731ED82CBA0

Function 0091326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(009E1990), ref: 00952F8D
GetMenuItemCount.USER32(009E1990), ref: 0095303D
GetCursorPos.USER32(?), ref: 00953081
SetForegroundWindow.USER32(00000000), ref: 0095308A
TrackPopupMenuEx.USER32(009E1990,00000000,?,00000000,00000000,00000000), ref: 0095309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009530A9

Strings

0, xrefs: 0091327D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 59a73f6087dd12cfd5a53785c35b3fcd6e1530aae03c474ca1b9190f36787135
Instruction ID: de848054c7f9c72e381daefa692e5700127851d914e4e24cbc025acb2963bbf1
Opcode Fuzzy Hash: 59a73f6087dd12cfd5a53785c35b3fcd6e1530aae03c474ca1b9190f36787135
Instruction Fuzzy Hash: 66713871644205BEEB21DF25DC49F9ABF78FF02364F208206F9246A1E0C7B1A954DB90

Function 009A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 009A6DEB

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009A6E94
DestroyWindow.USER32(?), ref: 009A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00910000,00000000), ref: 009A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009A6EFD
GetDesktopWindow.USER32 ref: 009A6F16
GetWindowRect.USER32(00000000), ref: 009A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009A6F4D

Part of subcall function 00929944: GetWindowLongW.USER32(?,000000EB), ref: 00929952

Strings

tooltips_class32, xrefs: 009A6E58, 009A6EDD
0, xrefs: 009A6D98

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b07f7b68ffdfa4ce4fc840d063f32ca2ce8af54a8d5624f16a8f35e568a68442
Instruction ID: 463dc14d773bf8ed4032cd3bc44e44e8a3937f03d592d4b812e6aea3cd3d8438
Opcode Fuzzy Hash: b07f7b68ffdfa4ce4fc840d063f32ca2ce8af54a8d5624f16a8f35e568a68442
Instruction Fuzzy Hash: 02714974548245AFDB21CF18EC44BAABBE9FB8A304F18041DF9998B2A1C770AD45DB91

Function 009A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

DragQueryPoint.SHELL32(?,?), ref: 009A9147

Part of subcall function 009A7674: ClientToScreen.USER32(?,?), ref: 009A769A
Part of subcall function 009A7674: GetWindowRect.USER32(?,?), ref: 009A7710
Part of subcall function 009A7674: PtInRect.USER32(?,?,009A8B89), ref: 009A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009A9277
DragFinish.SHELL32(?), ref: 009A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009A9371

Strings

@GUI_DRAGFILE, xrefs: 009A9320
@GUI_DROPID, xrefs: 009A929E
@GUI_DRAGID, xrefs: 009A92E9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4c3c62b86b1030278e7a316b020c9a01f06d82649781bb23cd3854bd8070bd6b
Instruction ID: c8b1bfd35dd698f06516fa66e0d57061a2436c3db75adc96fff999f3cd8c1e0b
Opcode Fuzzy Hash: 4c3c62b86b1030278e7a316b020c9a01f06d82649781bb23cd3854bd8070bd6b
Instruction Fuzzy Hash: 3B615971108305AFC705DF64DC85EAFBBE8EFCA750F00091EF596962A1DB709A49CB92

Function 0098C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0098C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0098C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0098C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0098C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0098C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0098C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0098C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0098C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0098C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0098C5F0
InternetCloseHandle.WININET(00000000), ref: 0098C5FB

Strings

, xrefs: 0098C575

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d9ea669e1c63e034e70d43b2c9350e76e84c718c019faf03f8e603934a838c3f
Instruction ID: 79823d368f33c79fcb3dd24665f349747bb1af629da933b0e0bf52ab97dbc659
Opcode Fuzzy Hash: d9ea669e1c63e034e70d43b2c9350e76e84c718c019faf03f8e603934a838c3f
Instruction Fuzzy Hash: 61516BF1514209BFDB21AF60C988AAB7BFCFF09754F00442AF945DA210DB34E944ABB0

Function 009A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 009A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85BA
GlobalLock.KERNEL32(00000000), ref: 009A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85D7
GlobalUnlock.KERNEL32(00000000), ref: 009A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,009AFC38,?), ref: 009A8611
GlobalFree.KERNEL32(00000000), ref: 009A8621
GetObjectW.GDI32(?,00000018,?), ref: 009A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009A8671
DeleteObject.GDI32(?), ref: 009A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009A86AF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: dd79a42155acc445b19a0bb4cca8d0a1f8e09aa8c373fc3ca6272e0bdafb28e5
Instruction ID: 64ef9ae91c5a0c223e5b5aaeb8a6c9c0a466c99a1023808587fb38d3909022e9
Opcode Fuzzy Hash: dd79a42155acc445b19a0bb4cca8d0a1f8e09aa8c373fc3ca6272e0bdafb28e5
Instruction Fuzzy Hash: 5B4107B5614208AFDB119FA5CC48EAB7BBCEF8AB15F104058F915EB260DB309901DBA0

Function 009814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00981502
VariantCopy.OLEAUT32(?,?), ref: 0098150B
VariantClear.OLEAUT32(?), ref: 00981517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00981657
VariantInit.OLEAUT32(?), ref: 00981708
SysFreeString.OLEAUT32(?), ref: 0098178C
VariantClear.OLEAUT32(?), ref: 009817D8
VariantClear.OLEAUT32(?), ref: 009817E7
VariantInit.OLEAUT32(00000000), ref: 00981823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00981625
Default, xrefs: 009816AF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a8e00a98f185550b6c56a4f7afa3c60e6cd9d0b87b2d3df139aa01070c7c4bb7
Instruction ID: 33a63ebec0aa0decb7bc9f78d2ee2982b307411afc2d2fe0c0b5e6e895f80c32
Opcode Fuzzy Hash: a8e00a98f185550b6c56a4f7afa3c60e6cd9d0b87b2d3df139aa01070c7c4bb7
Instruction Fuzzy Hash: 1ED10372A04115DBDB10BF65E885BBDB7B9BF86700F10885AF446AB390DB34DC42DBA1

Function 0099B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 0099C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099C9F1
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA68
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0099B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0099B80A
RegCloseKey.ADVAPI32(?), ref: 0099B87E
RegCloseKey.ADVAPI32(?), ref: 0099B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0099B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0099B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0099B922
FreeLibrary.KERNEL32(00000000), ref: 0099B983
RegCloseKey.ADVAPI32(00000000), ref: 0099B994

Strings

advapi32.dll, xrefs: 0099B8ED
RegDeleteKeyExW, xrefs: 0099B8FE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 540658d013582c11e0edc53192dccde93742d0e3595dc486b35020daaa2bf2d1
Instruction ID: 7715e49636555228f80d8382e5a700be1666c0bf2b92ec5b1f57cb109c2ef89f
Opcode Fuzzy Hash: 540658d013582c11e0edc53192dccde93742d0e3595dc486b35020daaa2bf2d1
Instruction Fuzzy Hash: CAC19E70208201AFDB10DF18D594F2ABBE5BF85308F14859CF59A4B3A2CB75ED86CB91

Function 0099255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009925E8
CreateCompatibleDC.GDI32(?), ref: 009925F4
SelectObject.GDI32(00000000,?), ref: 00992601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0099266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009926D0
SelectObject.GDI32(?,?), ref: 009926D8
DeleteObject.GDI32(?), ref: 009926E1
DeleteDC.GDI32(?), ref: 009926E8
ReleaseDC.USER32(00000000,?), ref: 009926F3

Strings

(, xrefs: 0099268D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 920f0e8bb3a470f0bc1d17c4e0cdcb055bf90aac4792d07f9cc0bf04a79c803d
Instruction ID: 28e1a65448fd449359883a856e3fcecc0d220fe96ec28c08a6503abd672654a9
Opcode Fuzzy Hash: 920f0e8bb3a470f0bc1d17c4e0cdcb055bf90aac4792d07f9cc0bf04a79c803d
Instruction Fuzzy Hash: C461E5B5E04219EFCF05CFA8D884AAEBBF5FF48310F20852AE555A7250D774A941DF90

Function 0094DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0094DAA1

Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D659
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D66B
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D67D
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D68F
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6A1
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6B3
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6C5
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6D7
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6E9
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6FB
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D70D
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D71F
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D731

_free.LIBCMT ref: 0094DA96

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094DAB8
_free.LIBCMT ref: 0094DACD
_free.LIBCMT ref: 0094DAD8
_free.LIBCMT ref: 0094DAFA
_free.LIBCMT ref: 0094DB0D
_free.LIBCMT ref: 0094DB1B
_free.LIBCMT ref: 0094DB26
_free.LIBCMT ref: 0094DB5E
_free.LIBCMT ref: 0094DB65
_free.LIBCMT ref: 0094DB82
_free.LIBCMT ref: 0094DB9A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e1abac2d95202534af2b4629b35607e96f432d1ed02940aca0eff76ebc931467
Instruction ID: 82ad1370a5e3dead36d32aa6810c506238f819ec9e0a3d8e5444f66753de8264
Opcode Fuzzy Hash: e1abac2d95202534af2b4629b35607e96f432d1ed02940aca0eff76ebc931467
Instruction Fuzzy Hash: 803145366052059FEB22AB3AE945F5AB7E9FF40310F55442AF448D7291DB30AC808B20

Function 0097365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0097369C
_wcslen.LIBCMT ref: 009736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00973797
GetClassNameW.USER32(?,?,00000400), ref: 0097380C
GetDlgCtrlID.USER32(?), ref: 0097385D
GetWindowRect.USER32(?,?), ref: 00973882
GetParent.USER32(?), ref: 009738A0
ScreenToClient.USER32(00000000), ref: 009738A7
GetClassNameW.USER32(?,?,00000100), ref: 00973921
GetWindowTextW.USER32(?,?,00000400), ref: 0097395D

Strings

%s%u, xrefs: 00973734

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b3a40ca8d2b5af168cbe03adafb657521b65b87946587e869d85e2f4f7cd7eb1
Instruction ID: aaa45a7dc648ddcd51613a4ee622af517fb2609fb3443f513d8669db84b3b837
Opcode Fuzzy Hash: b3a40ca8d2b5af168cbe03adafb657521b65b87946587e869d85e2f4f7cd7eb1
Instruction Fuzzy Hash: D8918F72204606EFD719DF24C885BEAB7A8FF44354F00C629FA9DD6190EB30EA45DB91

Function 00974954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00974994
GetWindowTextW.USER32(?,?,00000400), ref: 009749DA
_wcslen.LIBCMT ref: 009749EB
CharUpperBuffW.USER32(?,00000000), ref: 009749F7
_wcsstr.LIBVCRUNTIME ref: 00974A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00974A64
GetWindowTextW.USER32(?,?,00000400), ref: 00974A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00974AE6
GetClassNameW.USER32(?,?,00000400), ref: 00974B20
GetWindowRect.USER32(?,?), ref: 00974B8B

Strings

ThumbnailClass, xrefs: 00974A6F, 00974AF1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 117b116ebba30f932427d17f16278210965028400293e904d5021ee3763c183b
Instruction ID: 727b9445e258d1e377d4516b3b337eabf7ce3760e3f490d8b22e1b2f1167b5e3
Opcode Fuzzy Hash: 117b116ebba30f932427d17f16278210965028400293e904d5021ee3763c183b
Instruction Fuzzy Hash: C191C0721082069FDB05DF14C981BAAB7ECFF84714F04C46AFD899A096EB30ED45CBA1

Function 009A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009A8D5A
GetFocus.USER32 ref: 009A8D6A
GetDlgCtrlID.USER32(00000000), ref: 009A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 009A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009A8ECF
GetMenuItemCount.USER32(?), ref: 009A8EEC
GetMenuItemID.USER32(?,00000000), ref: 009A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009A8FA1

Strings

0, xrefs: 009A8E9F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 821362d9459a918b83e5f88f09568bcf685c01f30bb1a61f2e3d0d7390ce4aba
Instruction ID: 0144e6ab0fa7b5aa072a62d857f814ac072eb630550d7b17bf13540575af678a
Opcode Fuzzy Hash: 821362d9459a918b83e5f88f09568bcf685c01f30bb1a61f2e3d0d7390ce4aba
Instruction Fuzzy Hash: 2B819D71508302AFDB20DF24D884AABBBE9FF8A754F140919F9859B291DB70DD01DBE1

Function 0097BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(009E1990,000000FF,00000000,00000030), ref: 0097BFAC
SetMenuItemInfoW.USER32(009E1990,00000004,00000000,00000030), ref: 0097BFE1
Sleep.KERNEL32(000001F4), ref: 0097BFF3
GetMenuItemCount.USER32(?), ref: 0097C039
GetMenuItemID.USER32(?,00000000), ref: 0097C056
GetMenuItemID.USER32(?,-00000001), ref: 0097C082
GetMenuItemID.USER32(?,?), ref: 0097C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0097C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0097C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0097C145

Strings

0, xrefs: 0097BF3D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 315e4dc47705cca191862746928d4c758cb554c7ca623a928125b25f100933e5
Instruction ID: c3160bf707b504fe558ba1b3857f87203e4a0d1542b8b61cf776d50c659c6286
Opcode Fuzzy Hash: 315e4dc47705cca191862746928d4c758cb554c7ca623a928125b25f100933e5
Instruction Fuzzy Hash: 7A6192F2914249AFDF11CF64DC88AEE7BB8EF45344F408059F809A7291D735AD04DBA0

Function 0097DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0097DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0097DC46
_wcslen.LIBCMT ref: 0097DC50
_wcsstr.LIBVCRUNTIME ref: 0097DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0097DCBC

Strings

StringFileInfo\, xrefs: 0097DC8F
%u.%u.%u.%u, xrefs: 0097DD9A
04090000, xrefs: 0097DCF2
DefaultLangCodepage, xrefs: 0097DD1F
\VarFileInfo\Translation, xrefs: 0097DCB4

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 83b11217aaaddcb97c00fc6c652960f78479d90f3489bc2f6bd392e8c4ad750e
Instruction ID: bc9f39f5e71fb7906ac2d557833678b2ab07a26ba0a170d54f918e5bd1417b51
Opcode Fuzzy Hash: 83b11217aaaddcb97c00fc6c652960f78479d90f3489bc2f6bd392e8c4ad750e
Instruction Fuzzy Hash: 21412373A412147ADB15A774AC47FBF37BCEF86710F10406AF908A61C2EB7599009BA5

Function 0099CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0099CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0099CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0099CD48

Part of subcall function 0099CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0099CCAA
Part of subcall function 0099CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0099CCBD
Part of subcall function 0099CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0099CCCF
Part of subcall function 0099CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0099CD05
Part of subcall function 0099CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0099CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0099CCF3

Strings

advapi32.dll, xrefs: 0099CCB8
RegDeleteKeyExW, xrefs: 0099CCC9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d5ff91b1a3d37a5127b0d0254cc347fb8c18f8b2ab8760dda486a323545303f3
Instruction ID: f90725def275f2efdd70389053fbcd853d98076e570c05b8d0e66b26934466c2
Opcode Fuzzy Hash: d5ff91b1a3d37a5127b0d0254cc347fb8c18f8b2ab8760dda486a323545303f3
Instruction Fuzzy Hash: AF3180B1A01128BBDB208B54DC88EFFBB7CEF56740F000565E905E6280D7349E45EAF0

Function 00983D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00983D40
_wcslen.LIBCMT ref: 00983D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00983D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00983DBE
RemoveDirectoryW.KERNEL32(?), ref: 00983DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00983E55
CloseHandle.KERNEL32(00000000), ref: 00983E60
CloseHandle.KERNEL32(00000000), ref: 00983E6B

Strings

\, xrefs: 00983D77
\??\%s, xrefs: 00983D5B
:, xrefs: 00983D82

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 3cbf7f17ae5b1a6502089879d21ec7b7c5b1c4087f8ff82b793c564d0e0dde2d
Instruction ID: 4223f14048c10b4d51f8c59b239310acc103ecb08514dd18f43e09054bc1a782
Opcode Fuzzy Hash: 3cbf7f17ae5b1a6502089879d21ec7b7c5b1c4087f8ff82b793c564d0e0dde2d
Instruction Fuzzy Hash: A631C6B1914109ABDB21AFA0DC49FEF37BCEF89B00F1080B5F915D6190EB7497448B64

Function 0097E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0097E6B4

Part of subcall function 0092E551: timeGetTime.WINMM(?,?,0097E6D4), ref: 0092E555

Sleep.KERNEL32(0000000A), ref: 0097E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0097E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0097E727
SetActiveWindow.USER32 ref: 0097E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0097E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0097E773
Sleep.KERNEL32(000000FA), ref: 0097E77E
IsWindow.USER32 ref: 0097E78A
EndDialog.USER32(00000000), ref: 0097E79B

Strings

BUTTON, xrefs: 0097E719

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 325f5d24b78c8606fcafeff6695b7a2e9f4bb1a830a0c0266b8c91d0767ec88a
Instruction ID: f67ccc352fbf47748755a95ea34f98d88de7455e0fcd5d94d66929170ffd504e
Opcode Fuzzy Hash: 325f5d24b78c8606fcafeff6695b7a2e9f4bb1a830a0c0266b8c91d0767ec88a
Instruction Fuzzy Hash: DC2199B222C245AFEF005F24ECC9B293B6DFB59749F109465F50D89171DBB1AC00BA54

Function 0097E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0097EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0097EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0097EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0097EAA7

Strings

close PlayMe, xrefs: 0097EA6E, 0097EA9B
play PlayMe, xrefs: 0097EAA2
open , xrefs: 0097EA0C
alias PlayMe, xrefs: 0097EA36
play PlayMe wait, xrefs: 0097EA91
status PlayMe mode, xrefs: 0097EA58

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8749a247957461eefb78bffb1c6860c28fb72654f5e63a9e3533d61b9002e3b1
Instruction ID: 935e6a93ce69b194b978a8f376f6585e1f89a1dbe9e5e920ee7867fc972d29dc
Opcode Fuzzy Hash: 8749a247957461eefb78bffb1c6860c28fb72654f5e63a9e3533d61b9002e3b1
Instruction Fuzzy Hash: 1011A032B9021D79D724A7A5DC5AEFF6B7CEBD6F44F40842AB811A20D0EEB01945C5B0

Function 00979F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0097A012
SetKeyboardState.USER32(?), ref: 0097A07D
GetAsyncKeyState.USER32(000000A0), ref: 0097A09D
GetKeyState.USER32(000000A0), ref: 0097A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0097A0E3
GetKeyState.USER32(000000A1), ref: 0097A0F4
GetAsyncKeyState.USER32(00000011), ref: 0097A120
GetKeyState.USER32(00000011), ref: 0097A12E
GetAsyncKeyState.USER32(00000012), ref: 0097A157
GetKeyState.USER32(00000012), ref: 0097A165
GetAsyncKeyState.USER32(0000005B), ref: 0097A18E
GetKeyState.USER32(0000005B), ref: 0097A19C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6f3d9f71186efa74c90e17b95c9a83508738aa63f458bd978d130155ad0f1e35
Instruction ID: 45d6121b8e8c5f35dab0efe4380f2786ea0335f959f0befbc15f126ff1879c6b
Opcode Fuzzy Hash: 6f3d9f71186efa74c90e17b95c9a83508738aa63f458bd978d130155ad0f1e35
Instruction Fuzzy Hash: 36510B2290878469FB35DB7088117EEBFB89F52340F48C589D5CA5B1C3DA549E4CC762

Function 00975CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00975CE2
GetWindowRect.USER32(00000000,?), ref: 00975CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00975D59
GetDlgItem.USER32(?,00000002), ref: 00975D69
GetWindowRect.USER32(00000000,?), ref: 00975D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00975DCF
GetDlgItem.USER32(?,000003E9), ref: 00975DDD
GetWindowRect.USER32(00000000,?), ref: 00975DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00975E31
GetDlgItem.USER32(?,000003EA), ref: 00975E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00975E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00975E67

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 65a9759b34748a5e32f8dc7b63d93cc704fb4fab4793daec2dca11209f3cd5c8
Instruction ID: 7c7df54cb950117a5a0a6767aae33f2f1d85ae0f0c7dc0612cd093ee24cb52c1
Opcode Fuzzy Hash: 65a9759b34748a5e32f8dc7b63d93cc704fb4fab4793daec2dca11209f3cd5c8
Instruction Fuzzy Hash: B751FDB1B10605AFDF18CF68DD89AAEBBB9FF48300F158129F519E6290D7709E04CB90

Function 00928BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00928F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00928BE8,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 00928FC5

DestroyWindow.USER32(?), ref: 00928C81
KillTimer.USER32(00000000,?,?,?,?,00928BBA,00000000,?), ref: 00928D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00966973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 009669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 009669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00928BBA,00000000), ref: 009669D4
DeleteObject.GDI32(00000000), ref: 009669E6

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 40f716a9f79c1146c218c71cd7302cd5909ae12e9d02c8ec7beb1317e2426c17
Instruction ID: f231a7937c5c5aa6ef01bdc313eb3a5406b14919abb3b4770d7e84cdbb1434d9
Opcode Fuzzy Hash: 40f716a9f79c1146c218c71cd7302cd5909ae12e9d02c8ec7beb1317e2426c17
Instruction Fuzzy Hash: 1E61AD71516660DFDB25DF14EA88B2AB7F5FF41312F14491CE0829B5A8CB35AC90EF90

Function 00929838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00929944: GetWindowLongW.USER32(?,000000EB), ref: 00929952

GetSysColor.USER32(0000000F), ref: 00929862

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3e9c341767c7a0a81ed54beac1676c003c0b6c6d3578e4c386d2844e2eb75efb
Instruction ID: 884a24ca2bd9ef312d5bbcd4b6fbba13739322ac0d2e891ab93e3843681d1c43
Opcode Fuzzy Hash: 3e9c341767c7a0a81ed54beac1676c003c0b6c6d3578e4c386d2844e2eb75efb
Instruction Fuzzy Hash: F041D771508654AFDB245F38AC88BB93BA9FF17330F184655F9A28B1E5C7319C42EB50

Function 009796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0095F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00979717
LoadStringW.USER32(00000000,?,0095F7F8,00000001), ref: 00979720

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0095F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00979742
LoadStringW.USER32(00000000,?,0095F7F8,00000001), ref: 00979745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00979866

Strings

Line %d:, xrefs: 009797A0
%s (%d) : ==> %s: %s %s, xrefs: 0097984A
Line %d (File "%s"):, xrefs: 0097978F
^ ERROR, xrefs: 009797FB
Error: , xrefs: 0097981D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8ab35c0de5c2b5e567da6b661b696b4d967861d4359bdbb2f32a2e57d6d955f4
Instruction ID: b0dc41f3b2b739c2d2125fb5d890d1f431c1ea14b91544616619a116205c6742
Opcode Fuzzy Hash: 8ab35c0de5c2b5e567da6b661b696b4d967861d4359bdbb2f32a2e57d6d955f4
Instruction Fuzzy Hash: 2541607290420DAADF04EBE0DD96EEEB378EF95340F504065F60672092EB356F89CB61

Function 009706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00970804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0097082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00970837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0097083C

Strings

SOFTWARE\Classes\, xrefs: 0097070E
\CLSID, xrefs: 00970724
\IPC$, xrefs: 00970784

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: a9ba808bfd9caeeb4c3b300551c135cb94c6ce76f5b0ade884a62b428584d89f
Instruction ID: c2cfc31ae6ce721af013af083b260ef793d55db7b2f5bde49504e0a46699963b
Opcode Fuzzy Hash: a9ba808bfd9caeeb4c3b300551c135cb94c6ce76f5b0ade884a62b428584d89f
Instruction Fuzzy Hash: 7E413872D1022CEBCF15EBA4DC95DEDB778BF84350F44812AE915A7160EB30AE44CB90

Function 009A3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009A403B
CreateCompatibleDC.GDI32(00000000), ref: 009A4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009A4055
SelectObject.GDI32(00000000,00000000), ref: 009A405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 009A4068
DeleteDC.GDI32(00000000), ref: 009A4072
GetWindowLongW.USER32(?,000000EC), ref: 009A407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 009A4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 009A409E

Strings

static, xrefs: 009A3FD3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d2f8a24fe3ecb917df59db633825b3d99b4dfd0dd3cb144cff06db2fa1f0b269
Instruction ID: b58597ac6f2a5b51203aa3415ff162d1dfb4844f6e65eec27d11c16ed84aa96e
Opcode Fuzzy Hash: d2f8a24fe3ecb917df59db633825b3d99b4dfd0dd3cb144cff06db2fa1f0b269
Instruction Fuzzy Hash: 86316C72515219BFDF219FA4CC09FDA3BA8EF4E324F110211FA15AA1A0C775D850EBE0

Function 00993C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00993C5C
CoInitialize.OLE32(00000000), ref: 00993C8A
CoUninitialize.OLE32 ref: 00993C94
_wcslen.LIBCMT ref: 00993D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00993DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00993ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00993F0E
CoGetObject.OLE32(?,00000000,009AFB98,?), ref: 00993F2D
SetErrorMode.KERNEL32(00000000), ref: 00993F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00993FC4
VariantClear.OLEAUT32(?), ref: 00993FD8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 48cadb2a5441eb9852517b8c730d2abb48bfdade8cddd3c6d4bf25d6ff6c74f4
Instruction ID: 3f35f6b8b27b8fcc579474a3cb7a36c60b454d63f00127d28e1a266d96bda052
Opcode Fuzzy Hash: 48cadb2a5441eb9852517b8c730d2abb48bfdade8cddd3c6d4bf25d6ff6c74f4
Instruction Fuzzy Hash: 27C136716083059FDB00DF68C89492BBBE9FF89744F14891DF98A9B250DB31EE45CB92

Function 00987A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00987AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00987B8F
SHGetDesktopFolder.SHELL32(?), ref: 00987BA3
CoCreateInstance.OLE32(009AFD08,00000000,00000001,009D6E6C,?), ref: 00987BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00987C74
CoTaskMemFree.OLE32(?,?), ref: 00987CCC
SHBrowseForFolderW.SHELL32(?), ref: 00987D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00987D7A
CoTaskMemFree.OLE32(00000000), ref: 00987D81
CoTaskMemFree.OLE32(00000000), ref: 00987DD6
CoUninitialize.OLE32 ref: 00987DDC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5f8eca0d155314422772425d502d1a202edd0914034e2cfabf4cfe3f020c3439
Instruction ID: 81b50f12949c1fe89c316917d0a1cb98e715a4396116337fc22a7dc1dfad3067
Opcode Fuzzy Hash: 5f8eca0d155314422772425d502d1a202edd0914034e2cfabf4cfe3f020c3439
Instruction Fuzzy Hash: 23C1F975A04109AFCB14DFA4C894DAEBBF9FF49314B148499E81ADB361D730EE85CB90

Function 009A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009A5515
CharNextW.USER32(00000158), ref: 009A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009A55AC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 888b367c310733fa840c653ba8eb184e3c59414c18338d4e812742e3e0bfdcd1
Instruction ID: fc0d4fa957aeff0050aa27a535893dd91d063d94584748e13b52ae7dcfc4d029
Opcode Fuzzy Hash: 888b367c310733fa840c653ba8eb184e3c59414c18338d4e812742e3e0bfdcd1
Instruction Fuzzy Hash: 31618B71A04609EBDF10CF94CC85AFE7BB9EF4B720F514545F925AA2A0D7748A80DBE0

Function 0096FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0096FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0096FB08
VariantInit.OLEAUT32(?), ref: 0096FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0096FB3A
VariantCopy.OLEAUT32(?,?), ref: 0096FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0096FBA1
VariantClear.OLEAUT32(?), ref: 0096FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0096FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0096FBCC
VariantClear.OLEAUT32(?), ref: 0096FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0096FBE9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3c8119da55e151bad8ee55ae1222163ec5a9af61e0573ccf6e22c22a6fd77737
Instruction ID: 817aa2b367c05fadec35923296ee22f6733113baa93fdcab579ee905c9e76c79
Opcode Fuzzy Hash: 3c8119da55e151bad8ee55ae1222163ec5a9af61e0573ccf6e22c22a6fd77737
Instruction Fuzzy Hash: 9C415375A04219DFCB00DFA4D8649EDBBB9FF49344F008069F955AB261DB30E945DF90

Function 00979C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00979CA1
GetAsyncKeyState.USER32(000000A0), ref: 00979D22
GetKeyState.USER32(000000A0), ref: 00979D3D
GetAsyncKeyState.USER32(000000A1), ref: 00979D57
GetKeyState.USER32(000000A1), ref: 00979D6C
GetAsyncKeyState.USER32(00000011), ref: 00979D84
GetKeyState.USER32(00000011), ref: 00979D96
GetAsyncKeyState.USER32(00000012), ref: 00979DAE
GetKeyState.USER32(00000012), ref: 00979DC0
GetAsyncKeyState.USER32(0000005B), ref: 00979DD8
GetKeyState.USER32(0000005B), ref: 00979DEA

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5c9a41adf3efb7e3f1f56dd801c89edafa28d2c2acfab01fedb4f97336ef3478
Instruction ID: 58a78067598f09062e7674cdda8f1f26136c1b810d81c9afd02bbed65471b004
Opcode Fuzzy Hash: 5c9a41adf3efb7e3f1f56dd801c89edafa28d2c2acfab01fedb4f97336ef3478
Instruction Fuzzy Hash: C241EB755087C96DFF31876484043B5BEE8EF12344F08C05AEACE5A6C2EBA499C4C7D2

Function 0099055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009905BC
inet_addr.WSOCK32(?), ref: 0099061C
gethostbyname.WSOCK32(?), ref: 00990628
IcmpCreateFile.IPHLPAPI ref: 00990636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009907B9
WSACleanup.WSOCK32 ref: 009907BF

Strings

Ping, xrefs: 00990676

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: efc483d6184f8e09de0427362e3005c4cca26a6d07e6d3702a33b4b03358b55c
Instruction ID: 5cd283674a37a8ab5ad3c5cd556d2e3d3baa6f71098194d4f44f394e18e95885
Opcode Fuzzy Hash: efc483d6184f8e09de0427362e3005c4cca26a6d07e6d3702a33b4b03358b55c
Instruction Fuzzy Hash: 8A9180756082019FD720CF19D889F1ABBE4AF84328F1585A9F4698B7A2C734FD85CF91

Function 00998CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00998CF3

Part of subcall function 00978E54: _wcslen.LIBCMT ref: 00978E77

_wcslen.LIBCMT ref: 00998D4E
_wcslen.LIBCMT ref: 00998D9C
_wcslen.LIBCMT ref: 00998DDC
_wcslen.LIBCMT ref: 00998E6E

Strings

cdecl, xrefs: 00998D48, 00998D4D
winapi, xrefs: 00998D96, 00998D9B
stdcall, xrefs: 00998DD6, 00998DDB
none, xrefs: 00998E65, 00998E6A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 3967a293c3d34d3703ef5e65274c039eba3ccce7ec3d5c11a5bc964449a5b15b
Instruction ID: e3833633bbb0373b206783d64b63d54d7f8d4284b6724c79c0b28af331afa2c2
Opcode Fuzzy Hash: 3967a293c3d34d3703ef5e65274c039eba3ccce7ec3d5c11a5bc964449a5b15b
Instruction Fuzzy Hash: 5E51B131A001169BCF24EFACC8509BFB3A9BF66724B21462DE426E72C4EB35DD40C790

Function 0099372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00993774
CoUninitialize.OLE32 ref: 0099377F
CoCreateInstance.OLE32(?,00000000,00000017,009AFB78,?), ref: 009937D9
IIDFromString.OLE32(?,?), ref: 0099384C
VariantInit.OLEAUT32(?), ref: 009938E4
VariantClear.OLEAUT32(?), ref: 00993936

Strings

Invalid parameter, xrefs: 00993865
Failed to create object, xrefs: 009937E4, 0099389A
NULL Pointer assignment, xrefs: 0099381E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c12c83074e4de5b51335b2eca95a432f43434052e181c36f05f9782fd0f00342
Instruction ID: 6f93a559469324d1b9f5506608a39509f21b016fb8d19d6ee5854cd151e2ac4b
Opcode Fuzzy Hash: c12c83074e4de5b51335b2eca95a432f43434052e181c36f05f9782fd0f00342
Instruction Fuzzy Hash: 1361B2B1608301AFD710DF99C848F6AB7E8EF89714F00880DF9859B291D774EE48CB92

Function 00983388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009833CF

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009833F0

Strings

Line %d (File "%s"):, xrefs: 00983443, 0098345C
Incorrect parameters to object property !, xrefs: 009834AB
"%s" (%d) : ==> %s:, xrefs: 00983522
^ ERROR , xrefs: 0098349E
Error: , xrefs: 009834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00983504

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: bd5f190e8d4ea699060ddb9d580c8c266bdcc5475bfee3ab546fd6b47fd7b22b
Instruction ID: b4c4b1dc05dc4a0d4c657dd6e4e8780c6104f2e783da302f7c4869577fab1392
Opcode Fuzzy Hash: bd5f190e8d4ea699060ddb9d580c8c266bdcc5475bfee3ab546fd6b47fd7b22b
Instruction Fuzzy Hash: 9F519272904209AADF14EBE0DD52FEEB778EF44740F108065F50972161EB356F98DB60

Function 0097B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0097B5FC
_wcslen.LIBCMT ref: 0097B608
_wcslen.LIBCMT ref: 0097B64D
_wcslen.LIBCMT ref: 0097B68C
_wcslen.LIBCMT ref: 0097B6C7

Strings

REMOVE, xrefs: 0097B602, 0097B607
EXISTS, xrefs: 0097B686, 0097B68B
APPEND, xrefs: 0097B6C1, 0097B6C6
KEYS, xrefs: 0097B647, 0097B64C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4171929c8ed09b5c6a7f5adc19f4a15436c156e9adc51e453dbe67f8dbe7542c
Instruction ID: adf016cf42824a49fe886a113ba1fd5405a2703d944b2a4e76fc3f780aea3e8c
Opcode Fuzzy Hash: 4171929c8ed09b5c6a7f5adc19f4a15436c156e9adc51e453dbe67f8dbe7542c
Instruction Fuzzy Hash: 5F41DB33A001269ACB205F7DC8907BE77A9BFA0774B258129E629DB284E735CD81C790

Function 00985393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00985416
GetLastError.KERNEL32 ref: 00985420
SetErrorMode.KERNEL32(00000000,READY), ref: 009854A7

Strings

READONLY, xrefs: 00985452
UNKNOWN, xrefs: 00985444
INVALID, xrefs: 00985459
READY, xrefs: 00985460, 00985468
NOTREADY, xrefs: 0098544B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8b589570026240bc0079e7fdc7fe6f0ed93381cc3472a6678274050b871b12e2
Instruction ID: 3595ab0051776f77de7d766630b7dc56c7125aa76db8e4545d32424bd30ab689
Opcode Fuzzy Hash: 8b589570026240bc0079e7fdc7fe6f0ed93381cc3472a6678274050b871b12e2
Instruction Fuzzy Hash: E3318F75A006059FD710EF68C884BAABBF8EF45305F158065E405CF3A2DB75DD8ACB90

Function 009A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009A3C79
SetMenu.USER32(?,00000000), ref: 009A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009A3D10
IsMenu.USER32(?), ref: 009A3D24
CreatePopupMenu.USER32 ref: 009A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009A3D5B
DrawMenuBar.USER32 ref: 009A3D63

Strings

F, xrefs: 009A3D4E
0, xrefs: 009A3C54

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4a5fddbe3b3ccbcd9f048c96502bd1ef1813742e9784671457d584521b204b38
Instruction ID: 6cb4148ba825f6ec22b341c8371c29d9949edf36465b89b22bfb7fa063e0755e
Opcode Fuzzy Hash: 4a5fddbe3b3ccbcd9f048c96502bd1ef1813742e9784671457d584521b204b38
Instruction Fuzzy Hash: E0415E75A15209EFDB14CF64D884ADA77B9FF4A350F144029F946AB3A0D730AE10DF94

Function 00971EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00971F64
GetDlgCtrlID.USER32 ref: 00971F6F
GetParent.USER32 ref: 00971F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00971F8E
GetDlgCtrlID.USER32(?), ref: 00971F97
GetParent.USER32(?), ref: 00971FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00971FAE

Strings

ComboBox, xrefs: 00971EEC
ListBox, xrefs: 00971F21

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: df6e9043a9a3abe1f5e598fd8302eccc284a02160248f52768c1fdd9aeb2757d
Instruction ID: 6f74d3676f103d5da209d97d15511dc45ec8b272c90160bf5d48f569ae51f73b
Opcode Fuzzy Hash: df6e9043a9a3abe1f5e598fd8302eccc284a02160248f52768c1fdd9aeb2757d
Instruction Fuzzy Hash: 4521C271A00218BBCF05EFA4CC95EEEBBB8EF46350B108156F9A567291DB385944DBA0

Function 00971FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00972043
GetDlgCtrlID.USER32 ref: 0097204E
GetParent.USER32 ref: 0097206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0097206D
GetDlgCtrlID.USER32(?), ref: 00972076
GetParent.USER32(?), ref: 0097208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0097208D

Strings

ComboBox, xrefs: 00971FCD
ListBox, xrefs: 00972002

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7b21c45da30260aa7a26c555ccc8c9d98db2a5f3ffd3dba81788c22bf3f80f06
Instruction ID: 2d8b9399d6a1653357d8675ae51a6bf09ef412d45243a81557d0e770d507ebde
Opcode Fuzzy Hash: 7b21c45da30260aa7a26c555ccc8c9d98db2a5f3ffd3dba81788c22bf3f80f06
Instruction Fuzzy Hash: 2421C9B6A10218BBCF11EFA0CC45EFEBBB8EF05340F108456F99567191DA794554DBB0

Function 009A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009A3C13

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b7a0fea38018bf5abb7b8aecb7c4e9ee9279d84b9d903eaaefb52ce0a074d03e
Instruction ID: 5e4cdc3aa5eae63d7a679a1b6f91421a1c588d95992976af8fdf1f8451f83a38
Opcode Fuzzy Hash: b7a0fea38018bf5abb7b8aecb7c4e9ee9279d84b9d903eaaefb52ce0a074d03e
Instruction Fuzzy Hash: DC617E75900248AFDB10DFA4CC81EEE77F8EF49710F104159FA15AB291D774AE45DBA0

Function 0097B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0097B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B165
GetWindowThreadProcessId.USER32(00000000), ref: 0097B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0097B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B21D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d8da45803a1b6fc80501651d88ed8426b607c477e92eb3947889951d2f008f57
Instruction ID: 6832a06c5c383bbea55ed04de950798e03c0b77d35579d162450af4d98f3e89f
Opcode Fuzzy Hash: d8da45803a1b6fc80501651d88ed8426b607c477e92eb3947889951d2f008f57
Instruction Fuzzy Hash: D8315CB6528208FFDB109F64DC88B6D7BADAF62312F10C415FA19DB191D7B49E409FA0

Function 00942C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00942C94

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 00942CA0
_free.LIBCMT ref: 00942CAB
_free.LIBCMT ref: 00942CB6
_free.LIBCMT ref: 00942CC1
_free.LIBCMT ref: 00942CCC
_free.LIBCMT ref: 00942CD7
_free.LIBCMT ref: 00942CE2
_free.LIBCMT ref: 00942CED
_free.LIBCMT ref: 00942CFB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f06cf86e0fca99c0be2d30819eb200e2cfb95cf825d39c540f0bc2e32aa2c81f
Instruction ID: 297157afeb104a21b2d6a5d03fdb24c1b97a025fc78e002017bb1e94c1b967f6
Opcode Fuzzy Hash: f06cf86e0fca99c0be2d30819eb200e2cfb95cf825d39c540f0bc2e32aa2c81f
Instruction Fuzzy Hash: 2A11C576100108BFDB02EF95DA92EDD3BA9FF45350F9144A5FA489F232DA31EE509B90

Function 00987DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00987FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00987FC1
GetFileAttributesW.KERNEL32(?), ref: 00987FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00988005
SetCurrentDirectoryW.KERNEL32(?), ref: 00988017
SetCurrentDirectoryW.KERNEL32(?), ref: 00988060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009880B0

Strings

*.*, xrefs: 00988066

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f7449d48cee622d1587756490dc5d12e26a4d017c4491f981b31d791cec7d9f1
Instruction ID: 9992a56852fba7b6a5e11c1be95eecfc6f4e0cd73ec22ccc34a1c7020fdf8684
Opcode Fuzzy Hash: f7449d48cee622d1587756490dc5d12e26a4d017c4491f981b31d791cec7d9f1
Instruction Fuzzy Hash: F381A2725082059BCB20FF94C444AAAF3E8BF89310F644C5EF889D7361EB35DD458B92

Function 00915BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00915C7A

Part of subcall function 00915D0A: GetClientRect.USER32(?,?), ref: 00915D30
Part of subcall function 00915D0A: GetWindowRect.USER32(?,?), ref: 00915D71
Part of subcall function 00915D0A: ScreenToClient.USER32(?,?), ref: 00915D99

GetDC.USER32 ref: 009546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00954708
SelectObject.GDI32(00000000,00000000), ref: 00954716
SelectObject.GDI32(00000000,00000000), ref: 0095472B
ReleaseDC.USER32(?,00000000), ref: 00954733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009547C4

Strings

U, xrefs: 00954693

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b345c56cae30821a8f141d71077ba0cf1b73ed22c077b01788dab6bc1de36d94
Instruction ID: 7ccbc4781743c3766aee89866634a286456bc451cf211f6ed65f8a602aa12122
Opcode Fuzzy Hash: b345c56cae30821a8f141d71077ba0cf1b73ed22c077b01788dab6bc1de36d94
Instruction Fuzzy Hash: CC71FF34504209DFCF21CF64C984AEA3BB9FF8A32AF154229ED555A2A6C7308CC5DF90

Function 0098359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009835E4

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

LoadStringW.USER32(009E2390,?,00000FFF,?), ref: 0098360A

Strings

Line %d (File "%s"):, xrefs: 0098366B
"%s" (%d) : ==> %s:, xrefs: 00983742
^ ERROR, xrefs: 009836C9
Error: , xrefs: 009836EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00983724

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 43b845855e516d1228db3b78efeee5d396b6cff9cddfa5a2d62e009df19d12f4
Instruction ID: 1a8783693c2909fd8719facd2ecf14d183f948c316f86614420b1c8f44a1394a
Opcode Fuzzy Hash: 43b845855e516d1228db3b78efeee5d396b6cff9cddfa5a2d62e009df19d12f4
Instruction Fuzzy Hash: 7A517E72900209BADF14EBA0DC52FEDBB38EF84740F548125F515721A1EB306AD9DFA0

Function 009A8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

Part of subcall function 0092912D: GetCursorPos.USER32(?), ref: 00929141
Part of subcall function 0092912D: ScreenToClient.USER32(00000000,?), ref: 0092915E
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000001), ref: 00929183
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000002), ref: 0092919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 009A8B6B
ImageList_EndDrag.COMCTL32 ref: 009A8B71
ReleaseCapture.USER32 ref: 009A8B77
SetWindowTextW.USER32(?,00000000), ref: 009A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 009A8CFF

Strings

@GUI_DRAGFILE, xrefs: 009A8C9A
@GUI_DROPID, xrefs: 009A8C51

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: f0902ce0da2b0479494734dba3ecbd3746a35dd3f3469b84814eddad88fca92c
Instruction ID: af32ae2f63f121798aaa67e60d82f2c00eb0ad1b406b56eedc079238f194a454
Opcode Fuzzy Hash: f0902ce0da2b0479494734dba3ecbd3746a35dd3f3469b84814eddad88fca92c
Instruction Fuzzy Hash: BF518B70208344AFD714DF14DC96FAA77E4FB89754F000629F9966B2A2DB709D44CBA2

Function 0098C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0098C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0098C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0098C2CA
GetLastError.KERNEL32 ref: 0098C322
SetEvent.KERNEL32(?), ref: 0098C336
InternetCloseHandle.WININET(00000000), ref: 0098C341

Strings

, xrefs: 0098C2BB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 42959bfb5fcb5fa08e7eb758f04b414b3791c43168eab0795673e161621c1b00
Instruction ID: 324849d781b878f68d655ffb295d42f23c809ada8e275f68f1b9e92c5d05535b
Opcode Fuzzy Hash: 42959bfb5fcb5fa08e7eb758f04b414b3791c43168eab0795673e161621c1b00
Instruction Fuzzy Hash: 473169F1604608AFDB21AFA49888AAB7BFCEF4A744B10851EF446D6340DB34DD059BB0

Function 0097989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00953AAF,?,?,Bad directive syntax error,009ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009798BC
LoadStringW.USER32(00000000,?,00953AAF,?), ref: 009798C3

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00979987

Strings

Line %d:, xrefs: 00979912
Line %d (File "%s"):, xrefs: 0097992D
., xrefs: 0097996D
Error: , xrefs: 00979955
%s (%d) : ==> %s.: %s %s, xrefs: 009798F1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8133bfdd35b5ff313929bc628545923372d81019fe5347aa326d23f240936951
Instruction ID: 48a594f1aabb0e31df7ec0a57203c67d9c7d9b5016bc020be1f86d62119f9803
Opcode Fuzzy Hash: 8133bfdd35b5ff313929bc628545923372d81019fe5347aa326d23f240936951
Instruction Fuzzy Hash: 6D21B13294021EABDF11EF90CC16FEE7779FF58304F048466F629660A2EB31A658DB50

Function 0097209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0097214D

Strings

SHELLDLL_DefView, xrefs: 009720CC
list, xrefs: 0097212F
largeicons, xrefs: 009720E1
details, xrefs: 009720FB
smallicons, xrefs: 00972115

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 84e240b9665705913022e22b41ce0016256996db278305e8f459e97eb79d7fda
Instruction ID: 664afe839fc361cfb28c47bd92bbebb30dccf2bd66ad6d23047201deba0d7588
Opcode Fuzzy Hash: 84e240b9665705913022e22b41ce0016256996db278305e8f459e97eb79d7fda
Instruction Fuzzy Hash: E411067B6DC707B9F6016720DC06EB6379CEF45328F618017FB08E91E1EE69A8015B54

Function 00948D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55cd2663b6e7a6a55a87adbee2d601be4a3fbcf46925f33851c15025047d541
Instruction ID: 8083d4decfa73b029cfedffb26d45f9e72192c1e6b171c7d642f915c61617ff9
Opcode Fuzzy Hash: d55cd2663b6e7a6a55a87adbee2d601be4a3fbcf46925f33851c15025047d541
Instruction Fuzzy Hash: 94C1D074E04249AFDF11DFA8D881FAFBBB8AF49310F044199F814AB392CB749941CB61

Function 0094CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0094CEB7
_free.LIBCMT ref: 0094CF22
_free.LIBCMT ref: 0094CF48
_free.LIBCMT ref: 0094CF71
_free.LIBCMT ref: 0094CFA9
_free.LIBCMT ref: 0094CFDA
_free.LIBCMT ref: 0094D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0094D09C
_free.LIBCMT ref: 0094D0B5

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b6758646d107a4575cf67f6f5c1c85be13979989c489b408ca1505356336758e
Instruction ID: f659ff457532438e89b0f149af2797348cfda4be185e4ba9f59cd2d353298d1a
Opcode Fuzzy Hash: b6758646d107a4575cf67f6f5c1c85be13979989c489b408ca1505356336758e
Instruction Fuzzy Hash: 11618DB1906301AFDF21AFB4DC91F6E7BA9EF45310F4441ADF9409B282DB399D448760

Function 009A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 009A5186
ShowWindow.USER32(?,00000000), ref: 009A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009A51D1

Part of subcall function 009A6FBA: DeleteObject.GDI32(00000000), ref: 009A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 009A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 009A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 009A5296

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 07ea764c6e04b519778451f3757279936339485b28254930a13e1343a9178abc
Instruction ID: 95e8ff4564094b29a06948b3e3a95bcc460e47c7f39168529b827993586d50bf
Opcode Fuzzy Hash: 07ea764c6e04b519778451f3757279936339485b28254930a13e1343a9178abc
Instruction Fuzzy Hash: 3F51A270B59A08BEEF309F24DC49BE83B69EB47321F164011FA259A2E1C775D980DBC0

Function 00928B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00966890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00928874,00000000,00000000,00000000,000000FF,00000000), ref: 00966901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0096691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00928874,00000000,00000000,00000000,000000FF,00000000), ref: 0096692D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7283d1ba602a74ece175ee067580ab65bc872d5444ef78322134016d3ec1fa0c
Instruction ID: df631433e8549cd8e0d75c9db5884ad8420729f15ea1ad8ab44c3c9c9cf6fef9
Opcode Fuzzy Hash: 7283d1ba602a74ece175ee067580ab65bc872d5444ef78322134016d3ec1fa0c
Instruction Fuzzy Hash: EE515BB0610209AFDB24CF24DC95FAA7BB9EF98750F10451CF9569B2A0DB70E990DB90

Function 0098C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0098C182
GetLastError.KERNEL32 ref: 0098C195
SetEvent.KERNEL32(?), ref: 0098C1A9

Part of subcall function 0098C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0098C272
Part of subcall function 0098C253: GetLastError.KERNEL32 ref: 0098C322
Part of subcall function 0098C253: SetEvent.KERNEL32(?), ref: 0098C336
Part of subcall function 0098C253: InternetCloseHandle.WININET(00000000), ref: 0098C341

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7bcfae296122d0544862d4b7e9911833717d060b965bbc363bcadc806e99c569
Instruction ID: c77e28482c2fdd7203443c1716f6de224dbc7cd0c199c2b894e05ccb9042ba7d
Opcode Fuzzy Hash: 7bcfae296122d0544862d4b7e9911833717d060b965bbc363bcadc806e99c569
Instruction Fuzzy Hash: C2317CB1204601BFDB21AFA5DC48A66BBECFF59310B00841DF96686760DB35E814ABB0

Function 009725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00973A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00973A57
Part of subcall function 00973A3D: GetCurrentThreadId.KERNEL32 ref: 00973A5E
Part of subcall function 00973A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009725B3), ref: 00973A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00972601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00972605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0097260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00972623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00972627

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0dc333b5b5f0e7aaf82620d9cfa58cb0db120a9f7418290f7006a978946d3bb9
Instruction ID: b5ecbceb28dfe924bcfd7b1fdb449f34ecac83d64b584b516274a4638cb79b49
Opcode Fuzzy Hash: 0dc333b5b5f0e7aaf82620d9cfa58cb0db120a9f7418290f7006a978946d3bb9
Instruction Fuzzy Hash: 3601D8713A8210BBFB1067689C8AF593F59DF8EB11F104001F318AE0D1C9E114459AA9

Function 00971803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00971449,?,?,00000000), ref: 0097180C
HeapAlloc.KERNEL32(00000000,?,00971449,?,?,00000000), ref: 00971813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00971449,?,?,00000000), ref: 00971828
GetCurrentProcess.KERNEL32(?,00000000,?,00971449,?,?,00000000), ref: 00971830
DuplicateHandle.KERNEL32(00000000,?,00971449,?,?,00000000), ref: 00971833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00971449,?,?,00000000), ref: 00971843
GetCurrentProcess.KERNEL32(00971449,00000000,?,00971449,?,?,00000000), ref: 0097184B
DuplicateHandle.KERNEL32(00000000,?,00971449,?,?,00000000), ref: 0097184E
CreateThread.KERNEL32(00000000,00000000,00971874,00000000,00000000,00000000), ref: 00971868

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 109a999761235daa73ec0c16d788d91a7336ac21c901ba171f6169a2894227ee
Instruction ID: 2bd291d10cfd35f20a9007d45574915062d343b77c77ee1e9ee66ab57b287d75
Opcode Fuzzy Hash: 109a999761235daa73ec0c16d788d91a7336ac21c901ba171f6169a2894227ee
Instruction Fuzzy Hash: DA01A8B5354308BFE610ABA5DC49F6B3BACEB8AB11F008411FA05DB1A1DA7098009B60

Function 0099A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0097D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0097D501
Part of subcall function 0097D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0097D50F
Part of subcall function 0097D4DC: CloseHandle.KERNELBASE(00000000), ref: 0097D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0099A16D
GetLastError.KERNEL32 ref: 0099A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0099A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0099A268
GetLastError.KERNEL32(00000000), ref: 0099A273
CloseHandle.KERNEL32(00000000), ref: 0099A2C4

Strings

SeDebugPrivilege, xrefs: 0099A18F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2671a2ced46198db0af5cd3bf3a2d3e2a5efdd9f08e648c02ae494f478c45c95
Instruction ID: 2a22447e3700225eba3b55a9d4f7424af5dd1bb100bb3f96a0586cc67ff9a1eb
Opcode Fuzzy Hash: 2671a2ced46198db0af5cd3bf3a2d3e2a5efdd9f08e648c02ae494f478c45c95
Instruction Fuzzy Hash: 4D616C71208242AFDB20DF18C494F59BBE5EF94318F14849CE4664B7A2C776ED86CBD2

Function 009A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009A3954
_wcslen.LIBCMT ref: 009A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009A39F4

Strings

SysListView32, xrefs: 009A38F7

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d1bedac2d41fdfddd892c05b254efd49eba15609566bf42793790dfce0de7f5a
Instruction ID: a73720c0436c88056691197cd748601edb05a73d34e0c3c4bb358290f835b319
Opcode Fuzzy Hash: d1bedac2d41fdfddd892c05b254efd49eba15609566bf42793790dfce0de7f5a
Instruction Fuzzy Hash: D841C171A00219ABEF21DF64CC49FEA7BA9EF49354F104526F948E7281D7B59E80CBD0

Function 0097BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0097BCFD
IsMenu.USER32(00000000), ref: 0097BD1D
CreatePopupMenu.USER32 ref: 0097BD53
GetMenuItemCount.USER32(01095530), ref: 0097BDA4
InsertMenuItemW.USER32(01095530,?,00000001,00000030), ref: 0097BDCC

Strings

2, xrefs: 0097BD37
0, xrefs: 0097BCA8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: bc321bf81b0262fb323ea001a2f4ef7a8e843d66020070f217d3223f1639e6c4
Instruction ID: 25455eafa1b6ae009f5bf412b87bfb0b45d575659f7924a41895c35c0826312e
Opcode Fuzzy Hash: bc321bf81b0262fb323ea001a2f4ef7a8e843d66020070f217d3223f1639e6c4
Instruction Fuzzy Hash: 5E519CB2A042059FDB21CFA8D888BAEBBF8AF85314F14C519F559DB2D1E7709940CB61

Function 0097C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0097C913

Strings

blank, xrefs: 0097C895
warning, xrefs: 0097C8FC
stop, xrefs: 0097C8E4
question, xrefs: 0097C8CC
info, xrefs: 0097C8B4

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e39b8ed89bef719b9b01202fa9a62584f04533a4feb4ff8c1e11d44b2568f5cc
Instruction ID: 4ec15e4d1fd5ac739503c657c8e5776e1cde5cec7ba2d1dbeddecec84940d4bf
Opcode Fuzzy Hash: e39b8ed89bef719b9b01202fa9a62584f04533a4feb4ff8c1e11d44b2568f5cc
Instruction Fuzzy Hash: 78113A7368930ABAE7009B149C83DEA679CDF55318F20842FF608E6282E7B46E005769

Function 0097DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0097DE42
gethostname.WSOCK32(?,00000100), ref: 0097DE5C
gethostbyname.WSOCK32(?), ref: 0097DE69
inet_ntoa.WSOCK32(?), ref: 0097DEAB
_strcat.LIBCMT ref: 0097DEB9
WSACleanup.WSOCK32 ref: 0097DEDE

Strings

0.0.0.0, xrefs: 0097DE87

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 703a015005b573d3be824d313a9535319489dcb64a19c4e56087537ac53ef58d
Instruction ID: 07ac944851a4a2cd66a94ca83a4c9fe75f538946664bf91732f7a793503144f5
Opcode Fuzzy Hash: 703a015005b573d3be824d313a9535319489dcb64a19c4e56087537ac53ef58d
Instruction Fuzzy Hash: 06115972904114AFDB21AB30DC0AFEF77BCEF95710F014169F0499A091EF749E809E90

Function 009A9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

GetSystemMetrics.USER32(0000000F), ref: 009A9FC7
GetSystemMetrics.USER32(0000000F), ref: 009A9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009AA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009AA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009AA263
ShowWindow.USER32(00000003,00000000), ref: 009AA282
InvalidateRect.USER32(?,00000000,00000001), ref: 009AA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 009AA2CA

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2753ce1691eea6fffe2ac31e1fab14a65712877fa527a52e8a5cac24d818e8d3
Instruction ID: 6eeb29d63133faef14b09d6a393cd2f1256257395b3b67557b80229023402a54
Opcode Fuzzy Hash: 2753ce1691eea6fffe2ac31e1fab14a65712877fa527a52e8a5cac24d818e8d3
Instruction Fuzzy Hash: 49B1D830600215EFDF14CF68C9847AE7BB2FF4A301F088069EC59AF295DB31A950CBA1

Function 0097ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0097ED2A
_wcslen.LIBCMT ref: 0097ED3B
_wcslen.LIBCMT ref: 0097ED79
_wcslen.LIBCMT ref: 0097EDAF
_wcslen.LIBCMT ref: 0097EDDF
_wcslen.LIBCMT ref: 0097EDEF
_wcslen.LIBCMT ref: 0097EE2B
_wcslen.LIBCMT ref: 0097EE5A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b6b2d527f5ac16d0caa18675f609775ed84ed039f3ffc40cf5ae3cc9648eeac1
Instruction ID: e93251b02a5888121b844a8246f051e9b2012d33771d4dcc2d82a58625434509
Opcode Fuzzy Hash: b6b2d527f5ac16d0caa18675f609775ed84ed039f3ffc40cf5ae3cc9648eeac1
Instruction Fuzzy Hash: AA419666C1111875CB11EBF4888ABCF77ACAF89710F518462F528E3121FB34E255CBA5

Function 0092F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 0092F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 0096F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 0096F454

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 35f2fbbec99882e2b9abfa2262293999135f47a39ef9714149bb2de842a73a32
Instruction ID: 3c87697926a1e2773adfd473f16111e515bab132ae4f63f50cd005f622995a32
Opcode Fuzzy Hash: 35f2fbbec99882e2b9abfa2262293999135f47a39ef9714149bb2de842a73a32
Instruction Fuzzy Hash: 74416D3960C790BAC7388B2DF8B8B2A7BF9AF46350F14443CF04756668C635A8C0DB50

Function 009A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009A2D1B
GetDC.USER32(00000000), ref: 009A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009A2DE1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d2e074b2a8f19485c9cd9d0a8547d2df00b45bcfab53bb661a68ae558e237852
Instruction ID: c22fa554f47cbccc775223ba73855e75378c10b168834c0a16bd072778d9a71e
Opcode Fuzzy Hash: d2e074b2a8f19485c9cd9d0a8547d2df00b45bcfab53bb661a68ae558e237852
Instruction Fuzzy Hash: 95317CB2215214BFEB118F54CC8AFEB3BADEF0A715F044055FE089E291C6759C50CBA4

Function 00975622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00975637
_memcmp.LIBVCRUNTIME ref: 00975659
_memcmp.LIBVCRUNTIME ref: 00975671
_memcmp.LIBVCRUNTIME ref: 00975684
_memcmp.LIBVCRUNTIME ref: 0097569E
_memcmp.LIBVCRUNTIME ref: 009756B1
_memcmp.LIBVCRUNTIME ref: 009756C9
_memcmp.LIBVCRUNTIME ref: 009756E4

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bbd6053d4c15b5de1a35f4f7016bcb26dc329485a634109ebbc041305d6cd9e3
Instruction ID: b33733b45df1f2c5c11eec1c46151c739cce745c7130e567c23557f8070d8c8e
Opcode Fuzzy Hash: bbd6053d4c15b5de1a35f4f7016bcb26dc329485a634109ebbc041305d6cd9e3
Instruction Fuzzy Hash: BE210B63740A0977D65855218D92FFB335DAFA1398F458020FD0C9A581FBA5EE1085E5

Function 00994FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00995007
NULL Pointer assignment, xrefs: 0099502E, 00995383

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 44ee56895840248589b98e86ad3fc2bf5579c31d243e31f81e35e704ae51e904
Instruction ID: 92c05a8afff6bd1dea61782adbdcca8c6d3d7e9bab4784176e544aaa871eaefa
Opcode Fuzzy Hash: 44ee56895840248589b98e86ad3fc2bf5579c31d243e31f81e35e704ae51e904
Instruction Fuzzy Hash: 38D1B371A0060ADFDF11CFACC881BAEB7B9BF88344F158469E915AB281E771DD45CB90

Function 00951522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00951651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009517FB,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009516FB

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00951777
__freea.LIBCMT ref: 009517A2
__freea.LIBCMT ref: 009517AE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 12bd24d197a3835f6f121e7d0b880a8956fd9e1929e7f327fc6078ec9d494e29
Instruction ID: ac3ea8b74a5b46645662341bc329e2a4927352aeec0f374516df395aa1beceed
Opcode Fuzzy Hash: 12bd24d197a3835f6f121e7d0b880a8956fd9e1929e7f327fc6078ec9d494e29
Instruction Fuzzy Hash: 5C919371E002169ADB20CE7AC881FEE7BB99F49311F184659FC06E7141EB35DD89CBA0

Function 00994523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00994648
VariantInit.OLEAUT32(?), ref: 00994749
VariantClear.OLEAUT32(?), ref: 00994753
VariantClear.OLEAUT32(?), ref: 009947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0099472C
Null Object assignment in FOR..IN loop, xrefs: 009945D8, 00994706, 009947BE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0bdd64743dc10c555a0e07299ec7143eff1232f6756456e892a9fd0aaacd13e3
Instruction ID: 71c678a385d2e674b4896f578da3ccc864c11229645ef22c1504b1d24966512f
Opcode Fuzzy Hash: 0bdd64743dc10c555a0e07299ec7143eff1232f6756456e892a9fd0aaacd13e3
Instruction Fuzzy Hash: 3891A471A00219AFDF25CFA8CC44FAEBBB8EF86715F108559F505AB280D7709942CFA0

Function 00981187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0098125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00981284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0098135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00981430

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: ffabbb116b738a033356b5196b96dbf90af3fdf6d8c81cc92d2a0be8c4867ab6
Instruction ID: 7d3461e00a4657f5646b5be38f80ea2265b0906f886e057e0a1a70d3eb21778a
Opcode Fuzzy Hash: ffabbb116b738a033356b5196b96dbf90af3fdf6d8c81cc92d2a0be8c4867ab6
Instruction Fuzzy Hash: F491E371A002199FDB00EFA4C884BBE77BDFF85315F104429E951EB3A1D778A946CB90

Function 0092948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6ec00357324af2abd1a4198aba295ba34ae8c5d08babbb3a5a8131b23870c319
Instruction ID: 19605ca9b0f6487b538330c126b4237479179f9ca326286d098af07bf99ac6c1
Opcode Fuzzy Hash: 6ec00357324af2abd1a4198aba295ba34ae8c5d08babbb3a5a8131b23870c319
Instruction Fuzzy Hash: 76913771E04229EFCB10CFA9DC84AEEBBB8FF49320F144455E915B7255D378A941CBA0

Function 00993947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0099396B
CharUpperBuffW.USER32(?,?), ref: 00993A7A
_wcslen.LIBCMT ref: 00993A8A
VariantClear.OLEAUT32(?), ref: 00993C1F

Part of subcall function 00980CDF: VariantInit.OLEAUT32(00000000), ref: 00980D1F
Part of subcall function 00980CDF: VariantCopy.OLEAUT32(?,?), ref: 00980D28
Part of subcall function 00980CDF: VariantClear.OLEAUT32(?), ref: 00980D34

Strings

Incorrect Parameter format, xrefs: 009939A6, 00993BA1
AUTOIT.ERROR, xrefs: 00993A80, 00993A85

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 2f4a5da9733e804b08dcaadee3ef4d0a2da1f3aaba95bd68c09d6d4d82dbf5de
Instruction ID: 179602030b9a2149ce55f356a3c40bf4bc1612a9e4972f3f244716a90d7483ea
Opcode Fuzzy Hash: 2f4a5da9733e804b08dcaadee3ef4d0a2da1f3aaba95bd68c09d6d4d82dbf5de
Instruction Fuzzy Hash: D39149756083059FCB00DF68C490A6AB7E9BFC9314F14886DF8899B351DB31EE45CB92

Function 00994BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0097000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?,?,0097035E), ref: 0097002B
Part of subcall function 0097000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970046
Part of subcall function 0097000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970054
Part of subcall function 0097000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?), ref: 00970064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00994C51
_wcslen.LIBCMT ref: 00994D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00994DCF
CoTaskMemFree.OLE32(?), ref: 00994DDA

Strings

NULL Pointer assignment, xrefs: 00994E23, 00994E52

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 49b254bce8859540303b55fc1cac34129f2ecc00120f1bc4f2774ee0d12c9f2e
Instruction ID: e4901b7cbad84e1dac1ca253ea7422c0fa78fa8deaba2ba435979de28c9255b6
Opcode Fuzzy Hash: 49b254bce8859540303b55fc1cac34129f2ecc00120f1bc4f2774ee0d12c9f2e
Instruction Fuzzy Hash: 31912971D0021D9FDF15DFA4C891EEEB7B8BF48310F108569E919A7291EB349A45CFA0

Function 009A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009A2183
GetMenuItemCount.USER32(00000000), ref: 009A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009A21DD
_wcslen.LIBCMT ref: 009A2213
GetMenuItemID.USER32(?,?), ref: 009A224D
GetSubMenu.USER32(?,?), ref: 009A225B

Part of subcall function 00973A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00973A57
Part of subcall function 00973A3D: GetCurrentThreadId.KERNEL32 ref: 00973A5E
Part of subcall function 00973A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009725B3), ref: 00973A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009A22E3

Part of subcall function 0097E97B: Sleep.KERNEL32 ref: 0097E9F3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 5376fd5c8e8e70b73d248fa0c0bab3fb748787c3445eaf3b5a2839493e8b0f69
Instruction ID: be0eae845b280ace466005cce171066a128b9e1fd837b890144fdb590372554b
Opcode Fuzzy Hash: 5376fd5c8e8e70b73d248fa0c0bab3fb748787c3445eaf3b5a2839493e8b0f69
Instruction Fuzzy Hash: C3717D75A04205AFCB14DF68C845BAEB7F5EF8A310F158469E826EB351DB34ED418BD0

Function 009A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010955F8), ref: 009A7F37
IsWindowEnabled.USER32(010955F8), ref: 009A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009A801E
SendMessageW.USER32(010955F8,000000B0,?,?), ref: 009A8051
IsDlgButtonChecked.USER32(?,?), ref: 009A8089
GetWindowLongW.USER32(010955F8,000000EC), ref: 009A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009A80C3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5da41e2c5b9279d04766c8878f08fc6206677a1d66e3697c27555c7ab1a69652
Instruction ID: 7ce40e9fb3268a5f873c84e6fa44e31250b90f45fa45a97b16f6b02f0bc96d20
Opcode Fuzzy Hash: 5da41e2c5b9279d04766c8878f08fc6206677a1d66e3697c27555c7ab1a69652
Instruction Fuzzy Hash: 2571AC74608214AFEB21DFA4CC95FEABBB9EF4B300F144459E94597261CB31AE44DBA0

Function 0097AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0097AEF9
GetKeyboardState.USER32(?), ref: 0097AF0E
SetKeyboardState.USER32(?), ref: 0097AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0097AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0097AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0097AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0097B020

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 577b6380ead690fc0e68fcc6c42958e155809f9751c20046fbfc2d7708e18952
Instruction ID: 0da154a88f2257f5cf139bcf83c9814eb3de161a6c09cf1ed0d8c6657ec38fff
Opcode Fuzzy Hash: 577b6380ead690fc0e68fcc6c42958e155809f9751c20046fbfc2d7708e18952
Instruction Fuzzy Hash: B951CFA26086D53DFB3682348C45BBEBEA95B46304F08C589E1ED958C2D398A888D752

Function 0097ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0097AD19
GetKeyboardState.USER32(?), ref: 0097AD2E
SetKeyboardState.USER32(?), ref: 0097AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0097ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0097ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0097AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0097AE38

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5cfe04b07cfaba60c58521c7fb4b19e71f1cac145f43a14cae5865b57cf73757
Instruction ID: 8bd101e56ae551f4e8a1c1ef097a64789006ead7809401a25ef574b2a6f2efc6
Opcode Fuzzy Hash: 5cfe04b07cfaba60c58521c7fb4b19e71f1cac145f43a14cae5865b57cf73757
Instruction Fuzzy Hash: 2051B5A26047D53DFB3683248C55BBE7EAD5F86300F08C589E1DD568C2D294EC84D756

Function 0094542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00953CD6,?,?,?,?,?,?,?,?,00945BA3,?,?,00953CD6,?,?), ref: 00945470
__fassign.LIBCMT ref: 009454EB
__fassign.LIBCMT ref: 00945506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00953CD6,00000005,00000000,00000000), ref: 0094552C
WriteFile.KERNEL32(?,00953CD6,00000000,00945BA3,00000000,?,?,?,?,?,?,?,?,?,00945BA3,?), ref: 0094554B
WriteFile.KERNEL32(?,?,00000001,00945BA3,00000000,?,?,?,?,?,?,?,?,?,00945BA3,?), ref: 00945584

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d6212c4b5f0060b7f263eff5c62dc3b4eea168707abdb44857add6e01935138d
Instruction ID: 730eebb261807ae64e987871568fbad05ce58c65c314f897ddd9826fc94f3a14
Opcode Fuzzy Hash: d6212c4b5f0060b7f263eff5c62dc3b4eea168707abdb44857add6e01935138d
Instruction Fuzzy Hash: FD5103B0A00649AFDB11CFE8D895EEEBBF9EF09300F15451AF545E7292E7309A41CB60

Function 00932D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00932D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00932D53
_ValidateLocalCookies.LIBCMT ref: 00932DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00932E0C
_ValidateLocalCookies.LIBCMT ref: 00932E61

Strings

csm, xrefs: 00932DF6

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c190106f64b5d66a59b46ddfa390d64124cd269ef6dc5cf573462f19290fedd4
Instruction ID: c0745c677518a23c2219b9f81a1307984f86430a9a0d3000dd2532d0fce6cdd5
Opcode Fuzzy Hash: c190106f64b5d66a59b46ddfa390d64124cd269ef6dc5cf573462f19290fedd4
Instruction Fuzzy Hash: 7D418174A00209EBCF10DF68CC85A9EBBB9BF85324F148155E925AB392D735EA05CFD1

Function 009910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0099304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0099307A
Part of subcall function 0099304E: _wcslen.LIBCMT ref: 0099309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00991112
WSAGetLastError.WSOCK32 ref: 00991121
WSAGetLastError.WSOCK32 ref: 009911C9
closesocket.WSOCK32(00000000), ref: 009911F9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8cfe8b49af4a1ac7d0a5cf757fee63e8ecd6fbfd744c24656e241e31f2afeb90
Instruction ID: 49890d8dbdd7d5846b19c99490ea9072aa03a36959051564c9a4b66a57571dbd
Opcode Fuzzy Hash: 8cfe8b49af4a1ac7d0a5cf757fee63e8ecd6fbfd744c24656e241e31f2afeb90
Instruction Fuzzy Hash: CD410571604205AFDB209F18C884BA9BBE9FF85324F148059FD159F291C774ED81CBE0

Function 0097CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0097CF22,?), ref: 0097DDFD

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0097CF22,?), ref: 0097DE16

lstrcmpiW.KERNEL32(?,?), ref: 0097CF45
MoveFileW.KERNEL32(?,?), ref: 0097CF7F
_wcslen.LIBCMT ref: 0097D005
_wcslen.LIBCMT ref: 0097D01B
SHFileOperationW.SHELL32(?), ref: 0097D061

Strings

\*.*, xrefs: 0097CFF3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 674e8df6b37d68e24a4b520bd161023596dde4513088d033a0ead9b2611570a3
Instruction ID: 58578017daa7e161e4ed53555aa4c8e8ba0142df406eab772afc0ab113cf0aaf
Opcode Fuzzy Hash: 674e8df6b37d68e24a4b520bd161023596dde4513088d033a0ead9b2611570a3
Instruction Fuzzy Hash: 6A4149B29451185FDF12EFA4C982BDD77BDAF49780F1040E6E509EB141EB34A644CF50

Function 009A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 009A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 009A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 009A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A2F0B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 62aa15bdd2604c23c7838d65afc284b99904687ec145b010c134201b87c462ef
Instruction ID: 208b3ab30890ba55b8a6ef91319b0b9342b5f3c3c578493c4543a6fb2e1927d6
Opcode Fuzzy Hash: 62aa15bdd2604c23c7838d65afc284b99904687ec145b010c134201b87c462ef
Instruction Fuzzy Hash: B331E331659291AFDB25CF5CEC84F6537E9EB9A710F250164F9058F2B2CB71AC80EB81

Function 00977726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00977769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0097778F
SysAllocString.OLEAUT32(00000000), ref: 00977792
SysAllocString.OLEAUT32(?), ref: 009777B0
SysFreeString.OLEAUT32(?), ref: 009777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009777DE
SysAllocString.OLEAUT32(?), ref: 009777EC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bd6cb505a1bf7ce84ce5aee7086e3ff21d35db9b163ae1c77beaaca343981e89
Instruction ID: 40f3acd11426f098ab8bb0443234117b2f5e7a0ef16c58fa2ee647d404f52e92
Opcode Fuzzy Hash: bd6cb505a1bf7ce84ce5aee7086e3ff21d35db9b163ae1c77beaaca343981e89
Instruction Fuzzy Hash: 8421B076608219AFDB14DFA8DC88DBBB7ECEF09764B008425FA08DB160D674DC4187A4

Function 009777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00977842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00977868
SysAllocString.OLEAUT32(00000000), ref: 0097786B
SysAllocString.OLEAUT32 ref: 0097788C
SysFreeString.OLEAUT32 ref: 00977895
StringFromGUID2.OLE32(?,?,00000028), ref: 009778AF
SysAllocString.OLEAUT32(?), ref: 009778BD

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d7f4786d6cc3b20e1f25cc30f9727c11f076f91e6d251e4e558e8234f9234c9a
Instruction ID: c49a84a21d2d037db73d3b6bb1a1ef36889c1eee258313a28131248e10969038
Opcode Fuzzy Hash: d7f4786d6cc3b20e1f25cc30f9727c11f076f91e6d251e4e558e8234f9234c9a
Instruction Fuzzy Hash: EA216072608214AFDB109FE8DC88DBAB7ECEF097607108125F919CB2A5DA74DC41DBA5

Function 009804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0098052E

Strings

nul, xrefs: 00980567

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9b5fab54d014829a682aeb5ee06d5009da730987df3c70ee62435e860667241f
Instruction ID: 2e2b3d856db909d6eefd2e72afc4e76dd694ab3f5eab28c99f10cd12cb8e1cd4
Opcode Fuzzy Hash: 9b5fab54d014829a682aeb5ee06d5009da730987df3c70ee62435e860667241f
Instruction Fuzzy Hash: B4215E75600305AFDB60AF2AD844A9A77A8BF85724F204A19F8A1D63E0E770D948DF60

Function 009805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00980601

Strings

nul, xrefs: 00980639

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 32806e975f86c4098c70156591a5ad0c5256c1d0da35f00c83fee1484d1adc63
Instruction ID: e665107a7ee72d55b60a2ff75ad2da23d4033aba43028115b100b2b4c61dee60
Opcode Fuzzy Hash: 32806e975f86c4098c70156591a5ad0c5256c1d0da35f00c83fee1484d1adc63
Instruction Fuzzy Hash: 6E217F755003059FDB60AF698C04A9A77E8AFD5720F204B19F8B1E73E0E7709864CB60

Function 009A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0091600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0091604C
Part of subcall function 0091600E: GetStockObject.GDI32(00000011), ref: 00916060
Part of subcall function 0091600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0091606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009A4145

Strings

Msctls_Progress32, xrefs: 009A40E3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: cab27ae480654298484a219993bb2bf78ba9f7be482b41bd7ac1d6325f6b174d
Instruction ID: 87d1bc3f93feb517233b2d7af89a4cf1cd6f41b48cfee6eb1d3fde81a277fd68
Opcode Fuzzy Hash: cab27ae480654298484a219993bb2bf78ba9f7be482b41bd7ac1d6325f6b174d
Instruction Fuzzy Hash: 5011B2B215021DBEEF118F64CC85EE77F9DEF59798F004111BA18A6150CAB29C61DBE4

Function 0094D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0094D7A3: _free.LIBCMT ref: 0094D7CC

_free.LIBCMT ref: 0094D82D

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094D838
_free.LIBCMT ref: 0094D843
_free.LIBCMT ref: 0094D897
_free.LIBCMT ref: 0094D8A2
_free.LIBCMT ref: 0094D8AD
_free.LIBCMT ref: 0094D8B8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: bd831c05411fbe07da1a4398f29f5243cd5cf0d6f44b09403d627c06e734bd00
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 9E115EB1542B04ABFA21BFB1CC47FCB7BDCBF80700F800925B299A6292DA75B5058660

Function 0097DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0097DA74
LoadStringW.USER32(00000000), ref: 0097DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0097DA91
LoadStringW.USER32(00000000), ref: 0097DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0097DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0097DAB9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 2a7120dfe8aed95592161b70b9ec0d2fedf627c48bf92be9d372615dd93de8db
Instruction ID: cabb419aba393d1526b1faacaf6c86449b0cf6f7574e956f53e44c54ee2a16bb
Opcode Fuzzy Hash: 2a7120dfe8aed95592161b70b9ec0d2fedf627c48bf92be9d372615dd93de8db
Instruction Fuzzy Hash: CF0162F25442087FE710DBA09D89EEB336CEF09701F404896B74AE6041EA749E844FB4

Function 0098096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0108E840,0108E840), ref: 0098097B
EnterCriticalSection.KERNEL32(0108E820,00000000), ref: 0098098D
TerminateThread.KERNEL32(?,000001F6), ref: 0098099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009809A9
CloseHandle.KERNEL32(?), ref: 009809B8
InterlockedExchange.KERNEL32(0108E840,000001F6), ref: 009809C8
LeaveCriticalSection.KERNEL32(0108E820), ref: 009809CF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2a5fa7ceb9816b78e645239bb6a366ff54420efb14f65b09707d1d90549742f8
Instruction ID: 0c32497169f4dc637d8c51d9d58582b29e79fa51821a67f0ccdccf6f0b2ec177
Opcode Fuzzy Hash: 2a5fa7ceb9816b78e645239bb6a366ff54420efb14f65b09707d1d90549742f8
Instruction Fuzzy Hash: 9CF03C7255AA02BBD7415FA4EE8CBD6BB39FF42702F402025F602988A0CB759465DFD0

Function 00991C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00991DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00991DE1
WSAGetLastError.WSOCK32 ref: 00991DF2
htons.WSOCK32(?,?,?,?,?), ref: 00991EDB
inet_ntoa.WSOCK32(?), ref: 00991E8C

Part of subcall function 009739E8: _strlen.LIBCMT ref: 009739F2

Part of subcall function 00993224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0098EC0C), ref: 00993240

_strlen.LIBCMT ref: 00991F35

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 967c9aea6ed369519ddf788a421d708b26a90f07e3e7263d29e3fddba0e3b73e
Instruction ID: 57edceb241e003af74ae42197be9bce11e17356d9fbf2f4f7cb9a431a4f408de
Opcode Fuzzy Hash: 967c9aea6ed369519ddf788a421d708b26a90f07e3e7263d29e3fddba0e3b73e
Instruction Fuzzy Hash: 52B1BD71204305AFC724DF28C895F6A7BA9BFC5318F54894CF4565B2A2DB31ED82CB91

Function 00915D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00915D30
GetWindowRect.USER32(?,?), ref: 00915D71
ScreenToClient.USER32(?,?), ref: 00915D99
GetClientRect.USER32(?,?), ref: 00915ED7
GetWindowRect.USER32(?,?), ref: 00915EF8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1b82563b3cea3dd333ae1720d9c8d17161ebf1fdd3982957e4c5843e2069b5ed
Instruction ID: 6c49a7bddd3129f96b9ca7de7d35003138964c999458381b9e11266a4c9c01e0
Opcode Fuzzy Hash: 1b82563b3cea3dd333ae1720d9c8d17161ebf1fdd3982957e4c5843e2069b5ed
Instruction Fuzzy Hash: BEB17A74A0074AEBDB14CFA9C4807EEB7F5FF48314F15881AE8A9D7250DB34AA91DB50

Function 009401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009400D6
__allrem.LIBCMT ref: 009400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0094010B
__allrem.LIBCMT ref: 00940122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00940140

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2ea07e42b9bfcc51d8b6547d9245a2a87040737e34e4b20f6ce52ab2b5e436b2
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C681E472A007069BE724AE29CC51F6B73E9EFD5324F24463AFA51D7681E774D9008B50

Function 009461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009382D9,009382D9,?,?,?,0094644F,00000001,00000001,8BE85006), ref: 00946258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0094644F,00000001,00000001,8BE85006,?,?,?), ref: 009462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009463D8
__freea.LIBCMT ref: 009463E5

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

__freea.LIBCMT ref: 009463EE
__freea.LIBCMT ref: 00946413

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9747b776cb594388cb3124ba74767529c4461a0a6aa73ddfbcb7576312503787
Instruction ID: be1e4d771d0dd977a77c4781bffa90e97a005e4296e45d7e0a3fdc9106b515c1
Opcode Fuzzy Hash: 9747b776cb594388cb3124ba74767529c4461a0a6aa73ddfbcb7576312503787
Instruction Fuzzy Hash: A251E1B2A00256ABEF258F64CC81FBF7BA9EF86750F144669FC05D6190EB34DC40C6A1

Function 0099BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 0099C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099C9F1
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA68
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0099BD25
RegCloseKey.ADVAPI32(00000000), ref: 0099BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0099BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0099BDF3
RegCloseKey.ADVAPI32(?), ref: 0099BDFF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 86603f6850681b4f6bb844ca2dbffb46bace326227cdc59fa5c8a2fe6d674ec5
Instruction ID: 6a044cf31d4608a7e93b53ecb576de67574380c8ec00707eb8f98120e8afbb00
Opcode Fuzzy Hash: 86603f6850681b4f6bb844ca2dbffb46bace326227cdc59fa5c8a2fe6d674ec5
Instruction Fuzzy Hash: 0B81C470208241EFCB14DF18C995E6AB7E9FF85308F14895CF4994B2A2DB35ED45CB92

Function 0096F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0096F7B9
SysAllocString.OLEAUT32(00000001), ref: 0096F860
VariantCopy.OLEAUT32(0096FA64,00000000), ref: 0096F889
VariantClear.OLEAUT32(0096FA64), ref: 0096F8AD
VariantCopy.OLEAUT32(0096FA64,00000000), ref: 0096F8B1
VariantClear.OLEAUT32(?), ref: 0096F8BB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b905ec6b1ea5e8783735d42a09e09efeffdee4514aaa09f5d4b3fa7b5b549089
Instruction ID: ebd424d5c16c8f372f512814561eafe77d5a9171c31087f5774fdc42ebed05eb
Opcode Fuzzy Hash: b905ec6b1ea5e8783735d42a09e09efeffdee4514aaa09f5d4b3fa7b5b549089
Instruction Fuzzy Hash: BD510735610310BACF24AF65E8B5B29B3E9EF85310F208867F906DF295DB748C40CB96

Function 0098910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009894E5
_wcslen.LIBCMT ref: 00989506
_wcslen.LIBCMT ref: 0098952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00989585

Strings

X, xrefs: 00989412

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c7c8407ce557500c08f369fc8543c7c6720afd66799d8eebd19698d67a889445
Instruction ID: 02f96179de5d992eebc54d26b7522f4f6ce51817120e586cb9e808e8240246a5
Opcode Fuzzy Hash: c7c8407ce557500c08f369fc8543c7c6720afd66799d8eebd19698d67a889445
Instruction Fuzzy Hash: AEE16F316083119FC724EF24C891BAAB7E5BF85314F08896DF8999B3A2DB31DD45CB91

Function 0092920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

BeginPaint.USER32(?,?,?), ref: 00929241
GetWindowRect.USER32(?,?), ref: 009292A5
ScreenToClient.USER32(?,?), ref: 009292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009292D3
EndPaint.USER32(?,?,?,?,?), ref: 00929321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009671EA

Part of subcall function 00929339: BeginPath.GDI32(00000000), ref: 00929357

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8777a1e25a47d5a64277af1274ab6604563b8f221a66a1eb9e170b75198fda05
Instruction ID: 59d1ec0368230f9f901631c20d167f00935e5c73a37cbed68129d7ab9cf450d3
Opcode Fuzzy Hash: 8777a1e25a47d5a64277af1274ab6604563b8f221a66a1eb9e170b75198fda05
Instruction Fuzzy Hash: 3D41A170108211AFD711DF64ECC4FBA7BA8EF46724F040629F9648B2A6C7349845EB61

Function 009807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0098080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00980847
EnterCriticalSection.KERNEL32(?), ref: 00980863
LeaveCriticalSection.KERNEL32(?), ref: 009808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00980921

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 9c04339c1c0f6259f421c559fc47cf2d4f385e0b1da074ee0e87eb89265456ef
Instruction ID: f3f349c829a3dea3e053705ac9caa38cdf05057b05288ec2f8408ab1e70b4651
Opcode Fuzzy Hash: 9c04339c1c0f6259f421c559fc47cf2d4f385e0b1da074ee0e87eb89265456ef
Instruction Fuzzy Hash: 82416B71A00205EBDF15AF54DC85AAAB778FF84310F1440B9ED04AE29BDB31DE64DBA0

Function 009A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0096F3AB,00000000,?,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 009A824C
EnableWindow.USER32(?,00000000), ref: 009A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009A82D1
ShowWindow.USER32(?,00000004), ref: 009A82E5
EnableWindow.USER32(?,00000001), ref: 009A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009A832F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1268ad8332264b36341b9ee6783b1bc886fe4e3e057fa245a24710f344605636
Instruction ID: b5925d64c5f4d1aad76a972a1eaee7b1d4e97667913c821c928ff76f06fdf69f
Opcode Fuzzy Hash: 1268ad8332264b36341b9ee6783b1bc886fe4e3e057fa245a24710f344605636
Instruction Fuzzy Hash: 9241AF30605644EFDF25CF24D899BA57BE4BB0B754F1842A9EA584F2A3CB31AC41DB90

Function 00974C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00974C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00974CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00974CEA
_wcslen.LIBCMT ref: 00974D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00974D10
_wcsstr.LIBVCRUNTIME ref: 00974D1A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 049f68d4bb9d15ca7cedf107faf7fa45db0e8022d4cbfa9feabb7acecb096900
Instruction ID: d874db1902aed5f6991c9fa141171f04b3a8141b482c6aa0bb54d6ecee8f6b14
Opcode Fuzzy Hash: 049f68d4bb9d15ca7cedf107faf7fa45db0e8022d4cbfa9feabb7acecb096900
Instruction Fuzzy Hash: 9721FC73204111BBEB269B39AC49F7B7BACDF46750F148079F849DE192EF65DC0096A0

Function 0098581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

_wcslen.LIBCMT ref: 0098587B
CoInitialize.OLE32(00000000), ref: 00985995
CoCreateInstance.OLE32(009AFCF8,00000000,00000001,009AFB68,?), ref: 009859AE
CoUninitialize.OLE32 ref: 009859CC

Strings

.lnk, xrefs: 00985876, 009858C1, 00985985

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 7f862af0ac21bbcdab455a4fa591ba165d257c09e8c406176ab9d4c670f80fab
Instruction ID: f39f87a76aa7df07ea41437f987bd5d4e882c655352efbbc04e11aa67a51d857
Opcode Fuzzy Hash: 7f862af0ac21bbcdab455a4fa591ba165d257c09e8c406176ab9d4c670f80fab
Instruction Fuzzy Hash: 2AD154716086059FC714EF24C480A6ABBF6EF89714F15885DF88A9B361D732EC49CB92

Function 0097175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00970FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00970FCA
Part of subcall function 00970FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00970FD6
Part of subcall function 00970FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00970FE5
Part of subcall function 00970FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00970FEC
Part of subcall function 00970FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00971002

GetLengthSid.ADVAPI32(?,00000000,00971335), ref: 009717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009717BA
HeapAlloc.KERNEL32(00000000), ref: 009717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009717DA
GetProcessHeap.KERNEL32(00000000,00000000,00971335), ref: 009717EE
HeapFree.KERNEL32(00000000), ref: 009717F5

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9ac882375a3baae99f642051c870642f6fbed11b9901d20e674958d5089b23d2
Instruction ID: 3a2ec15e71be9092c90dab334184db196d808102cf8e79b665667a58f0a39a07
Opcode Fuzzy Hash: 9ac882375a3baae99f642051c870642f6fbed11b9901d20e674958d5089b23d2
Instruction Fuzzy Hash: 8B11BE72614205FFDB189FA8CC49BAE7BADEF42755F108018F4499B210D735A944DBA0

Function 009714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00971506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00971515
CloseHandle.KERNEL32(00000004), ref: 00971520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0097154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00971563

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7edff3536ac9efb0834dce7ed3a82e95032d9fe13b9c3a31d61b7743afdc12b8
Instruction ID: bb4ef3683f048982e975917e311874799bc53be90a8dfd1e1ddcb58ea8e00c5a
Opcode Fuzzy Hash: 7edff3536ac9efb0834dce7ed3a82e95032d9fe13b9c3a31d61b7743afdc12b8
Instruction Fuzzy Hash: 1A1129B2604209ABDF118F98DD49BDE7BADEF49744F048015FA09A6160C3758E64EBA0

Function 00933382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00933379,00932FE5), ref: 00933390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0093339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009333B7
SetLastError.KERNEL32(00000000,?,00933379,00932FE5), ref: 00933409

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8c6a516d39dc7490f42dc70a5a87ab52903fd5b0fe9b48ef5f46f07494326b4e
Instruction ID: c9a64bcb46e9fdb58ec9441bf77888a485dbe9c68dab9055f7a2defd28a52644
Opcode Fuzzy Hash: 8c6a516d39dc7490f42dc70a5a87ab52903fd5b0fe9b48ef5f46f07494326b4e
Instruction Fuzzy Hash: 7F0147732DE712BEAE242775BC87B276B98EB45379F20C22AF410852F0EF114D01AD84

Function 00942D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00945686,00953CD6,?,00000000,?,00945B6A,?,?,?,?,?,0093E6D1,?,009D8A48), ref: 00942D78
_free.LIBCMT ref: 00942DAB
_free.LIBCMT ref: 00942DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0093E6D1,?,009D8A48,00000010,00914F4A,?,?,00000000,00953CD6), ref: 00942DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0093E6D1,?,009D8A48,00000010,00914F4A,?,?,00000000,00953CD6), ref: 00942DEC
_abort.LIBCMT ref: 00942DF2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f455c6a067f404da483ff78d6c6f8f8c217f228704427e464a1b728456cdaee6
Instruction ID: 83176f76c7baf9fb885a11cab4dc1dfa8153e8338d2ffd730a5a764685f1a0aa
Opcode Fuzzy Hash: f455c6a067f404da483ff78d6c6f8f8c217f228704427e464a1b728456cdaee6
Instruction Fuzzy Hash: DFF02831949A0127C6122735BC0AF1E265DBFC27A1F654519F824961D2EE7488415160

Function 009A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00929639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00929693
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296A2
Part of subcall function 00929639: BeginPath.GDI32(?), ref: 009296B9
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009A8A70
LineTo.GDI32(?,00000000,00000003), ref: 009A8A80
EndPath.GDI32(?), ref: 009A8A90
StrokePath.GDI32(?), ref: 009A8AA0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b936c11f0d8f13c50c4d24ef598a7a7b82552a333f0168e0900053321a92425a
Instruction ID: 48c2beec1448c86a0a23021fcce7dcd6663402f662fa59208095865b2b65c559
Opcode Fuzzy Hash: b936c11f0d8f13c50c4d24ef598a7a7b82552a333f0168e0900053321a92425a
Instruction Fuzzy Hash: C11109B600415CFFDF129F90EC88EAA7F6CEF09394F008012FA199A1A1C7719D55EBA0

Function 009751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00975218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00975229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00975230
ReleaseDC.USER32(00000000,00000000), ref: 00975238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0097524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00975261

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 59ccdc03128566a3b3c56142c31efeabc7066b60c2c4497764af922dcf756f0b
Instruction ID: cad39055869fead7d56f6a35ac77357d957c82b9efd5e68ca69a45105ec69bb0
Opcode Fuzzy Hash: 59ccdc03128566a3b3c56142c31efeabc7066b60c2c4497764af922dcf756f0b
Instruction Fuzzy Hash: C5014FB5A04719BBEB109BA59C49A5EBFB8EF49751F044065FA04AB281D6709C00DBA0

Function 00911BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00911BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00911BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00911C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00911C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00911C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00911C22

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2591a0d1e8e16a98225962ed68e8517c58f906c8f0510845c32b993d19a3b4da
Instruction ID: c3c005d6f9445ea533815a8a74c10dc5ff0d066d2bbbcf0c1657a2283c2f3eea
Opcode Fuzzy Hash: 2591a0d1e8e16a98225962ed68e8517c58f906c8f0510845c32b993d19a3b4da
Instruction Fuzzy Hash: DA0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0097EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0097EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0097EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0097EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0097EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0097EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0097EB75

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 87d259a64d2f9a0b3580d1063b223801fb794bee06b81ee237b64980daf743f4
Instruction ID: 7abaad561e7cb69fe8b863b3228c8089ac58ba6056b1a3fdd6adb9ef142d3d0c
Opcode Fuzzy Hash: 87d259a64d2f9a0b3580d1063b223801fb794bee06b81ee237b64980daf743f4
Instruction Fuzzy Hash: F3F054B2254159BBE7215B529C0DEEF3E7CEFCBB11F004159F601D5091DBA05A01D6F5

Function 00967439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00967452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00967469
GetWindowDC.USER32(?), ref: 00967475
GetPixel.GDI32(00000000,?,?), ref: 00967484
ReleaseDC.USER32(?,00000000), ref: 00967496
GetSysColor.USER32(00000005), ref: 009674B0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 42ee6c807023b80ddcfe42550179014bead8bcbf2f6d607ff3615b2c75028cf0
Instruction ID: d9c5c701baca27faa6d5e9c62c26aed71922308a5e051a3fa6d9d03d1898e311
Opcode Fuzzy Hash: 42ee6c807023b80ddcfe42550179014bead8bcbf2f6d607ff3615b2c75028cf0
Instruction Fuzzy Hash: 65018B71418216FFDB109FA4DD08BAABBB6FF05311F110060F916A61B0CF311E41AB90

Function 00971874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0097187F
UnloadUserProfile.USERENV(?,?), ref: 0097188B
CloseHandle.KERNEL32(?), ref: 00971894
CloseHandle.KERNEL32(?), ref: 0097189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009718A5
HeapFree.KERNEL32(00000000), ref: 009718AC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cce0622c135e035d9132796744e9ad37369ee69c252bd167aa523a82cab76b9c
Instruction ID: e963aa53e28aed32b002e33aaed14dc2b0a64a21f6e0b18c6860e3808e6d56a2
Opcode Fuzzy Hash: cce0622c135e035d9132796744e9ad37369ee69c252bd167aa523a82cab76b9c
Instruction Fuzzy Hash: 35E0E5B621C101BBDB015FA1ED0C90ABF79FF4AB22B108220F22589070CF329421EF90

Function 0097C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0097C6EE
_wcslen.LIBCMT ref: 0097C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0097C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0097C7CA

Strings

0, xrefs: 0097C6AF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 87e155956d95dce6b744dd620980d9db5154cf04e938a2eb9055980c9500c83a
Instruction ID: d9481ad948780321339ac25f57e2ebb2ffd87e9ba2656c5dd138245fbf211f81
Opcode Fuzzy Hash: 87e155956d95dce6b744dd620980d9db5154cf04e938a2eb9055980c9500c83a
Instruction Fuzzy Hash: F35104B26083019BD719DF28D885BAB77E8AF89310F048A2DF999E71D0DB74DD44CB52

Function 0099AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0099AEA3

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

GetProcessId.KERNEL32(00000000), ref: 0099AF38
CloseHandle.KERNEL32(00000000), ref: 0099AF67

Strings

<, xrefs: 0099AE6B
@, xrefs: 0099AE72

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a094e3c0ef39fd30c1b0102ab8bf29123cf3ed7d65f2ce0bc557f131ec6d45b4
Instruction ID: 4d82ed8ee78434df01fa7c7d31277c8aefeaf0c3e07c273659ebb8c6f280734d
Opcode Fuzzy Hash: a094e3c0ef39fd30c1b0102ab8bf29123cf3ed7d65f2ce0bc557f131ec6d45b4
Instruction Fuzzy Hash: 55713470A00219DFCF14DF98C484A9EBBF5EF48314F048499E816AB3A2CB75ED85CB91

Function 0097719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00977206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0097723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0097724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009772CF

Strings

DllGetClassObject, xrefs: 00977242

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5663939ccf5b1e5634c217bd1cf1592d5e29450cf04bb8b1b66a68cb1d8e0274
Instruction ID: a22ca32685ee2616eb9d5e8ceab43e213bddbe1fa92e83bce18c7d01ba8997cc
Opcode Fuzzy Hash: 5663939ccf5b1e5634c217bd1cf1592d5e29450cf04bb8b1b66a68cb1d8e0274
Instruction Fuzzy Hash: 204182B2604204EFDB15CF94C884B9ABBB9EF45314F14C0A9BD19DF20AD7B4D944DBA0

Function 009A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009A3E35
IsMenu.USER32(?), ref: 009A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009A3E92
DrawMenuBar.USER32 ref: 009A3EA5

Strings

0, xrefs: 009A3D89

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c6bedd2ef255598684ed5c025b1282c41fa23c363f3693f0b4703b7ea0581572
Instruction ID: ef015e1d6c2ea2dd5e69982c50d7a61be9d7027749ab9da7fd373658611f3b6a
Opcode Fuzzy Hash: c6bedd2ef255598684ed5c025b1282c41fa23c363f3693f0b4703b7ea0581572
Instruction Fuzzy Hash: CA416975A15209EFDB10DF60D884EEABBB9FF4A354F14802AF905AB250D730AE40DF90

Function 00971DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00971E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00971E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00971EA9

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Strings

ComboBox, xrefs: 00971DF0
ListBox, xrefs: 00971E25

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3580fbd9e85e4c3bed95bdb2170cce4922c53f73c89934648cf58f445fed602f
Instruction ID: 80270ad18672248a041ab3f497904022301ef08ebf5c8a0010a37a24d0b36092
Opcode Fuzzy Hash: 3580fbd9e85e4c3bed95bdb2170cce4922c53f73c89934648cf58f445fed602f
Instruction Fuzzy Hash: E5216B72A00108BFDB149B68DC56DFFB7BCEF82350B14C519F859A71E0DB384D459660

Function 009A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009A2F8D
LoadLibraryW.KERNEL32(?), ref: 009A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009A2FA9
DestroyWindow.USER32(?), ref: 009A2FB1

Strings

SysAnimate32, xrefs: 009A2F68

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0c1931d3da9fc5851fbb4d10c768e9ca675f0dd6495eb646c4333860bb721433
Instruction ID: a71fee44b8168ff61748d0ddb0e0b1959887918f4b8611e58acf79b8cf475607
Opcode Fuzzy Hash: 0c1931d3da9fc5851fbb4d10c768e9ca675f0dd6495eb646c4333860bb721433
Instruction Fuzzy Hash: 99219D71214209AFEB108FA8DC84FBB77BDEF9A368F104619F950D61A0D771DC91A7A0

Function 00934D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00934D1E,009428E9,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002), ref: 00934D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00934DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00934D1E,009428E9,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002,00000000), ref: 00934DC3

Strings

CorExitProcess, xrefs: 00934D98
mscoree.dll, xrefs: 00934D86

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 909bc7142c7c4ec93d33f4947f3f564271640234ca5b7394dfa466dc8c9d52de
Instruction ID: f74347420b9c136937118684ef9e1dcea2e41140f40dffd354489e5fedd28144
Opcode Fuzzy Hash: 909bc7142c7c4ec93d33f4947f3f564271640234ca5b7394dfa466dc8c9d52de
Instruction Fuzzy Hash: 79F03C74A54208ABDB119B94DC49BAEBFE9EF85751F0101A4E906A62A0CF70AD40DED0

Function 00914E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00914EAE
FreeLibrary.KERNEL32(00000000,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00914EA8
kernel32.dll, xrefs: 00914E94

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 4bed8f5b140ba531335048a75c3a557d8fee804d429e6b8120eee8d728c3cd77
Instruction ID: b2d3a48802cc1b2fd15850bd4248c305c6368269d6fe3ce489a7fde660700c2c
Opcode Fuzzy Hash: 4bed8f5b140ba531335048a75c3a557d8fee804d429e6b8120eee8d728c3cd77
Instruction Fuzzy Hash: C3E0C276B5A6225BD3321B25BC18BAF769CAFC7F67B050115FC08E6200DB60CD4294F1

Function 00914E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00914E74
FreeLibrary.KERNEL32(00000000,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00914E6E
kernel32.dll, xrefs: 00914E5B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 7dcd82f5fd8770924d77690fa520fc4e987e418683c4db586ca18064683f7828
Instruction ID: fb24306888bcc39117c2945d44603195057098702ae19470e3a674063649d1eb
Opcode Fuzzy Hash: 7dcd82f5fd8770924d77690fa520fc4e987e418683c4db586ca18064683f7828
Instruction Fuzzy Hash: 1BD0C23571A6225746221B247C08DCB3A1CAF8AB153054211F804AA110CF21CD42D1E1

Function 00982947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00982C05
DeleteFileW.KERNEL32(?), ref: 00982C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00982C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00982CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00982CC0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: d2d58fec8b31cc040165f712ebadb890f66f3883fec8bb18ea3008fa7b45d417
Instruction ID: c3c393616357b2aac6c987a86333d6af92ba7eab89aa54a5c303e4ff929a783f
Opcode Fuzzy Hash: d2d58fec8b31cc040165f712ebadb890f66f3883fec8bb18ea3008fa7b45d417
Instruction Fuzzy Hash: 26B15D72A01119ABDF15EBA4CC85FEEB7BDEF89310F1040A6F509E6241EA359A448F61

Function 0099A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0099A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0099A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0099A468
CloseHandle.KERNEL32(?), ref: 0099A63D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 43fa338d5cfc0c251d73107f18cd6076b3ed6adc5390c2e166147290688b20ea
Instruction ID: f12a7d59099baff0e252d0158d05f27a72a9a684625648b7a44466a79dc9df62
Opcode Fuzzy Hash: 43fa338d5cfc0c251d73107f18cd6076b3ed6adc5390c2e166147290688b20ea
Instruction Fuzzy Hash: 0CA15FB16043019FDB20DF28D886B2AB7E5EF84714F14885DF95A9B392DB70EC418B92

Function 0094BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009B3700), ref: 0094BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,009E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0094BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,009E1270,000000FF,?,0000003F,00000000,?), ref: 0094BC36
_free.LIBCMT ref: 0094BB7F

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094BD4B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 72e944b17c2c0f18d86b54a86f9219e0c0b392084eaa9bc49470887107cb5d7b
Instruction ID: ff6a34221f2e28494a6f2268214fae77a8c9762d3453aba22d9fc1fa49696d34
Opcode Fuzzy Hash: 72e944b17c2c0f18d86b54a86f9219e0c0b392084eaa9bc49470887107cb5d7b
Instruction Fuzzy Hash: 7B51B671904209EFCB24EF699CC1EAEB7BCEF81310B10466AE564D7291EB30DE419B90

Function 0097E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0097CF22,?), ref: 0097DDFD

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0097CF22,?), ref: 0097DE16

Part of subcall function 0097E199: GetFileAttributesW.KERNEL32(?,0097CF95), ref: 0097E19A

lstrcmpiW.KERNEL32(?,?), ref: 0097E473
MoveFileW.KERNEL32(?,?), ref: 0097E4AC
_wcslen.LIBCMT ref: 0097E5EB
_wcslen.LIBCMT ref: 0097E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0097E650

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 610ee779c565cde7a7276af002136767e08f7ef286a87aa3ecc91f405bfec16c
Instruction ID: afc2d11ac19edbe51d681ed20a5986e9a97141fc2542b5e888b62e5caa66e039
Opcode Fuzzy Hash: 610ee779c565cde7a7276af002136767e08f7ef286a87aa3ecc91f405bfec16c
Instruction Fuzzy Hash: 7F5162B35083455BC724DB94D891ADB73ECAFC9340F00895EF689D3191EF74A6888B66

Function 0099B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 0099C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099C9F1
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA68
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0099BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0099BB63
RegCloseKey.ADVAPI32(?,?), ref: 0099BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0099BBB3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f4855ccc9f2d2699442ef6ba8a2cd6993dc7dfbf5e950bb748b10366113516e2
Instruction ID: b3419564fcf79cc815d5665c4e7dcebd9e4df584ee7e908f9067146efc178b10
Opcode Fuzzy Hash: f4855ccc9f2d2699442ef6ba8a2cd6993dc7dfbf5e950bb748b10366113516e2
Instruction Fuzzy Hash: CB61D371208205AFCB14DF18C590F6ABBE9FF84308F54895CF4994B2A2CB35ED45CB92

Function 00978BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00978BCD
VariantClear.OLEAUT32 ref: 00978C3E
VariantClear.OLEAUT32 ref: 00978C9D
VariantClear.OLEAUT32(?), ref: 00978D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00978D3B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 45dcb858c5447254cdb6da98c64dec7c97d6e51bff095d15f98d59dbeb8b95cc
Instruction ID: 9ed7df162af00c8aca6797f3711af3e26ac6d0cfee5c6d6eb03482e557dbcb20
Opcode Fuzzy Hash: 45dcb858c5447254cdb6da98c64dec7c97d6e51bff095d15f98d59dbeb8b95cc
Instruction Fuzzy Hash: B25159B5A10219EFCB14CF68C894AAAB7F9FF8D310B158559E909DB350E734E911CF90

Function 00988AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00988BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00988BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00988C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00988C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00988C5F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4fd0844a56efb53876be07c10966d805c29c1f73d4987d285e9851e35b239f72
Instruction ID: 7fc0d16b1df80ac0b9fea0938404c0e4d1311fc2b33a840b63f0276ab4598444
Opcode Fuzzy Hash: 4fd0844a56efb53876be07c10966d805c29c1f73d4987d285e9851e35b239f72
Instruction Fuzzy Hash: 32513075A002199FCB15DF54C881AAEBBF5FF49314F048458E84AAB362DB35ED51CBA0

Function 00998EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00998F40
GetProcAddress.KERNEL32(00000000,?), ref: 00998FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00998FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00999032
FreeLibrary.KERNEL32(00000000), ref: 00999052

Part of subcall function 0092F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00981043,?,7529E610), ref: 0092F6E6
Part of subcall function 0092F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0096FA64,00000000,00000000,?,?,00981043,?,7529E610,?,0096FA64), ref: 0092F70D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 05d82fe17036b850290c9ea66be3b887d8b4f5c835899851233d9b4c877ece8f
Instruction ID: eaa65d8277664858788e291c2178e30370a8192bf88dc415abec7e6360eae56f
Opcode Fuzzy Hash: 05d82fe17036b850290c9ea66be3b887d8b4f5c835899851233d9b4c877ece8f
Instruction Fuzzy Hash: 7C514B35605209DFCB11DF58C4949ADBBF5FF49314B0480A8E81A9B362DB31ED86CB90

Function 009A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0098AB79,00000000,00000000), ref: 009A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009A6CC7

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c42f13f9bd6d59c5864bbd0c53eae6aef9c780cc082bb53d47cb86fca204da0f
Instruction ID: d36928b0ed702749d24980e6e149bf86dd1bc8dc34c8beeaf6c9c6a7adb31736
Opcode Fuzzy Hash: c42f13f9bd6d59c5864bbd0c53eae6aef9c780cc082bb53d47cb86fca204da0f
Instruction Fuzzy Hash: 7B41B575A08104AFD724DF28CC59FA57BB9EB0B360F190228FAD5AB2E1C771AD41D6D0

Function 00942051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009420C3
_free.LIBCMT ref: 009420E3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 090c8196deacf42dd5abf46e4b74fae5a38b0646fea51e3ba23f346f2973dc1c
Instruction ID: 2c5e6735314a32a884f4eea384e3161e4fbd26691248dcbf79422140ef13e8c3
Opcode Fuzzy Hash: 090c8196deacf42dd5abf46e4b74fae5a38b0646fea51e3ba23f346f2973dc1c
Instruction Fuzzy Hash: 6E41AC72A00200ABDB24DF68C881E5EB7F5FF89314F5645A9F615EB396DA31AD01CB80

Function 0092912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00929141
ScreenToClient.USER32(00000000,?), ref: 0092915E
GetAsyncKeyState.USER32(00000001), ref: 00929183
GetAsyncKeyState.USER32(00000002), ref: 0092919D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 870f8c796b305000750b0d2cb08bae0a4cedde76dcdfbd6f70947ca9a0178dbe
Instruction ID: 83065ea7b339f1b0a117c937039c0c85710861146e8e68cc7a7424556b5d3dea
Opcode Fuzzy Hash: 870f8c796b305000750b0d2cb08bae0a4cedde76dcdfbd6f70947ca9a0178dbe
Instruction Fuzzy Hash: 4E419F71A0C21ABBDF099FA8D844BEEF774FF06324F208216E429A72D1C7346950DB91

Function 00983874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00983922
TranslateMessage.USER32(?), ref: 0098394B
DispatchMessageW.USER32(?), ref: 00983955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00983966

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 96cb5f844c9194ab37b16351117f9cea70ce3c2c0789515160cae0f35227c84b
Instruction ID: 3b7cb8b28034df25109c14a92d7ee0a88e7641d3ec58126c38329019f9dd6d46
Opcode Fuzzy Hash: 96cb5f844c9194ab37b16351117f9cea70ce3c2c0789515160cae0f35227c84b
Instruction Fuzzy Hash: ED31EB7091C381DFEB39EB35D848BB637ACAB05700F04855DE46687290E7F69A85DB11

Function 0098CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0098C21E,00000000), ref: 0098CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0098CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0098C21E,00000000), ref: 0098CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0098C21E,00000000), ref: 0098CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0098C21E,00000000), ref: 0098CFF2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 801931bba77168eb0a3c585c0c7f7ca0d8cc1eb57f463a264ec6a9e9264b6c60
Instruction ID: ef43800655d2544315d725f137ed1908feb3796cd3ed7b00cb058d2bf3cd88df
Opcode Fuzzy Hash: 801931bba77168eb0a3c585c0c7f7ca0d8cc1eb57f463a264ec6a9e9264b6c60
Instruction Fuzzy Hash: F7314CB1504205AFEB20EFA5D884AABBBFDEF15355B10442EF616D6240DB34EE40DBA0

Function 00971901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00971915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009719E2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fff9a07cf8874cad7d97ac731b7718a58ffab7625d47643cb34974739f01a18e
Instruction ID: 1d03dcd3d060657e804212e097327863409ed303b44988d852a658561121dc12
Opcode Fuzzy Hash: fff9a07cf8874cad7d97ac731b7718a58ffab7625d47643cb34974739f01a18e
Instruction Fuzzy Hash: 7331C272A00219EFCB10CFACDD99ADE3BB5EF45315F108225FA25AB2D1C7709945DB90

Function 009A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009A579D
_wcslen.LIBCMT ref: 009A57AF
_wcslen.LIBCMT ref: 009A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009A5816

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d53f2517d0e2b1e43896beb61d3780241a7f7d1c1ba682390974ce2f5b50c50e
Instruction ID: 2a6169f472550a62007c7b9b18be9ddaa1039eca9bca7cbdf2d085d566753d84
Opcode Fuzzy Hash: d53f2517d0e2b1e43896beb61d3780241a7f7d1c1ba682390974ce2f5b50c50e
Instruction Fuzzy Hash: D321D271A04608DADB209FA1CC84AEE77BCFF46720F108216F929EA180D7748981CFD0

Function 0092990E Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009298CC
SetTextColor.GDI32(?,?), ref: 009298D6
SetBkMode.GDI32(?,00000001), ref: 009298E9
GetStockObject.GDI32(00000005), ref: 009298F1
GetWindowLongW.USER32(?,000000EB), ref: 00929952

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 8b100443ca40263cf09f6f4d54a57d285b3dac55a1bf3529cfcd29e27fae73ff
Instruction ID: 9fa6d898b00888adceb066faeb591662c9827de8c6f04a9e1d4e50fbe14a6e64
Opcode Fuzzy Hash: 8b100443ca40263cf09f6f4d54a57d285b3dac55a1bf3529cfcd29e27fae73ff
Instruction Fuzzy Hash: F621D6752492609FC7228F24FC65AEA3B65EF17334F08029DF5928F1E2C7364991DB90

Function 00990930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00990951
GetForegroundWindow.USER32 ref: 00990968
GetDC.USER32(00000000), ref: 009909A4
GetPixel.GDI32(00000000,?,00000003), ref: 009909B0
ReleaseDC.USER32(00000000,00000003), ref: 009909E8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9c921edc39b6e8c14236ec2c05998e5f30df545fd42ba5660c082c11942473fc
Instruction ID: c857cf00416c5fcb5e40e59984a6ab2beb500e55c41bf22f315396bb2bdacd9b
Opcode Fuzzy Hash: 9c921edc39b6e8c14236ec2c05998e5f30df545fd42ba5660c082c11942473fc
Instruction Fuzzy Hash: 24219675600204AFD704EF69C944AAEB7F9EF85740F048468F85AD7352DB30EC44DB90

Function 0094CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0094CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0094CDE9

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0094CE0F
_free.LIBCMT ref: 0094CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0094CE31

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 85d124db48ef7051cc9de5dba2a3c53f52f75ac4318dd4e61e96ec3ea46fef6f
Instruction ID: 33145ac8a2267fc12f6bc49d284783afd63b8a7b73d533fc09c0368cfce42ab2
Opcode Fuzzy Hash: 85d124db48ef7051cc9de5dba2a3c53f52f75ac4318dd4e61e96ec3ea46fef6f
Instruction Fuzzy Hash: 4B0184F26072157F276116B66C88D7B6A6DEEC7BA13150129F905DB201EF618D0291F0

Function 00929639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00929693
SelectObject.GDI32(?,00000000), ref: 009296A2
BeginPath.GDI32(?), ref: 009296B9
SelectObject.GDI32(?,00000000), ref: 009296E2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5ee1f162f711c4348ed5c190dc89eb21fe4005680399dfcd8ad44cca664bfa00
Instruction ID: c6761d85d715c86290cdb84646e8fcdaa22fdbb300f502c606d6f329c2ea280d
Opcode Fuzzy Hash: 5ee1f162f711c4348ed5c190dc89eb21fe4005680399dfcd8ad44cca664bfa00
Instruction Fuzzy Hash: D7219D7082A355EFDB119F64FC88BA97BA8BB41365F100216F810AA1B6D3749C91EF90

Function 00975711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00975726
_memcmp.LIBVCRUNTIME ref: 00975744
_memcmp.LIBVCRUNTIME ref: 00975757
_memcmp.LIBVCRUNTIME ref: 0097576F
_memcmp.LIBVCRUNTIME ref: 00975787

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a487e3e531c68c7b866d206e07f75ecf4c9ff301bd72fcb9a7255916ca0b97a9
Instruction ID: 252ac6549ed7b32e1cc738e0998119988a71febf53fcd47c219e5692f99e0e38
Opcode Fuzzy Hash: a487e3e531c68c7b866d206e07f75ecf4c9ff301bd72fcb9a7255916ca0b97a9
Instruction Fuzzy Hash: C601D8A3641609FBE24C55119D92FBB735D9FA23A8F018020FD0C9F241F7A1EE1086F0

Function 00942DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0093F2DE,00943863,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6), ref: 00942DFD
_free.LIBCMT ref: 00942E32
_free.LIBCMT ref: 00942E59
SetLastError.KERNEL32(00000000,00911129), ref: 00942E66
SetLastError.KERNEL32(00000000,00911129), ref: 00942E6F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 19fc04d94f42cfa23e2307bd604fbe0672d7e33c16ae7ee6b91b88e83b230033
Instruction ID: fc194bff5db9cb23032d5e9aa0c98c9f3db65efe6b133605a0fc317e55bfa99b
Opcode Fuzzy Hash: 19fc04d94f42cfa23e2307bd604fbe0672d7e33c16ae7ee6b91b88e83b230033
Instruction Fuzzy Hash: D701287224960177CA1367356C85E2F266DFFD23B5BF54429F425E22D2EF74CC019160

Function 0097000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?,?,0097035E), ref: 0097002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?), ref: 00970064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970070

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f9792110127c2dc5edb76ed62964c1534a290d1fcec44ac6583395a1698044af
Instruction ID: 2b99f69145a0f7dc411fe5adf94c0bd218fe9a7d70f1bb19114782bf3a31f1a0
Opcode Fuzzy Hash: f9792110127c2dc5edb76ed62964c1534a290d1fcec44ac6583395a1698044af
Instruction Fuzzy Hash: E70162B7610214FFDB114F69DC44BAA7AEDEF847A1F148124F909D6210DB75DD40EBA0

Function 0097E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0097E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0097E9A5
Sleep.KERNEL32(00000000), ref: 0097E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0097E9B7
Sleep.KERNEL32 ref: 0097E9F3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: bcfeafe2b95c9cfc07c3fc5eba2692b7bff858abe9e09da23007d2f8169e3ce1
Instruction ID: 4c9a0d5711bfe30758fbaaab85bcf7b050f4e56e1624f3b00b7e494fe37b4160
Opcode Fuzzy Hash: bcfeafe2b95c9cfc07c3fc5eba2692b7bff858abe9e09da23007d2f8169e3ce1
Instruction Fuzzy Hash: 42015772D09A2DDBCF00ABE5D849AEDBB78BF0E301F004586EA06B2241CB349555DBA1

Function 009710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00971114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 0097112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0097114D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4e9473c038334d71f84cb9f6f3c2622a5881567699262e5b6cd39e90b0fb74d1
Instruction ID: bdbf023a22898e4a8b852a20cb13defc336a300074098b6570eb120512d5ad90
Opcode Fuzzy Hash: 4e9473c038334d71f84cb9f6f3c2622a5881567699262e5b6cd39e90b0fb74d1
Instruction Fuzzy Hash: 060131B5214205BFDB114F69DC49E6A3F7EEF86360B514415FA45DB350DB31DD009EA0

Function 00970FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00970FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00970FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00970FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00970FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00971002

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c99bf952b08ddced122d85444a6145ade520eb5a5aba5b53791231d374b30c0f
Instruction ID: 2194c107c427ce8e3c8f6da272ef52c47ef6ac2898241dc1db925c90e79907a5
Opcode Fuzzy Hash: c99bf952b08ddced122d85444a6145ade520eb5a5aba5b53791231d374b30c0f
Instruction Fuzzy Hash: E1F06DB6214311FBDB214FA8DC4DF563BADEF8A762F114414FA49CB261DE70DC509AA0

Function 00971014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0097102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00971036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0097104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971062

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c9802a3ea6401547491d484370dc37d2e7471caa323d3985bb583585f04ae443
Instruction ID: 8df335cd99ade723888152dff22bf6e9c641b68a0997f0905a4f06995c11e12e
Opcode Fuzzy Hash: c9802a3ea6401547491d484370dc37d2e7471caa323d3985bb583585f04ae443
Instruction Fuzzy Hash: C0F06DB6214311FBDB215FA8EC49F563BADEF8A761F114414FA49CB250DE70D8509AA0

Function 0098030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980324
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980331
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 0098033E
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 0098034B
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980358
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980365

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c8083eb4f856c61235a15ac6d44d490ff44f3565abb08bbdbe60412ee3445209
Instruction ID: fafcfaae1081968f3155fccd9a222bbcf4c067a8122a4b735ca610aeb9bdb408
Opcode Fuzzy Hash: c8083eb4f856c61235a15ac6d44d490ff44f3565abb08bbdbe60412ee3445209
Instruction Fuzzy Hash: C5017E72801B15DFCB30AF66D890816FBF9BFA03153158A3FD19652A31C7B1A959DF80

Function 0094D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0094D752

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094D764
_free.LIBCMT ref: 0094D776
_free.LIBCMT ref: 0094D788
_free.LIBCMT ref: 0094D79A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80557351398948a9a33e9417299974b54fd8b29ff6984bf88adb5154bf0c7242
Instruction ID: 428467f9de6b0f3e233ebf11a52ff7f6122631858d453620eea94e4b445b2c09
Opcode Fuzzy Hash: 80557351398948a9a33e9417299974b54fd8b29ff6984bf88adb5154bf0c7242
Instruction Fuzzy Hash: 72F036B6596205AB9625EB65FAD5D167BDDBB447107D40C06F048D7601C730FCC0D664

Function 00975C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00975C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00975C6F
MessageBeep.USER32(00000000), ref: 00975C87
KillTimer.USER32(?,0000040A), ref: 00975CA3
EndDialog.USER32(?,00000001), ref: 00975CBD

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 768008864d90b012e0788d4198efead707002a551c4ec773c5443cefb51a6cf9
Instruction ID: 8c2a9a196e165e75902f050522ae41acb52572bbf950dec1f0c4d0b343fcc209
Opcode Fuzzy Hash: 768008864d90b012e0788d4198efead707002a551c4ec773c5443cefb51a6cf9
Instruction Fuzzy Hash: 9D01F471504B04ABEB219B10DD4EFA677BCBF01B01F090559B1C7A50E0DBF4A984DBD0

Function 009422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009422BE

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 009422D0
_free.LIBCMT ref: 009422E3
_free.LIBCMT ref: 009422F4
_free.LIBCMT ref: 00942305

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7f1e922eec0feee88059097a70e3a068deb67412cb1feaf124484787af939dea
Instruction ID: ca15b545211175c65f0ade8491ca1e9bbc6d7c502d90deedcc8fccab7dbc5ffb
Opcode Fuzzy Hash: 7f1e922eec0feee88059097a70e3a068deb67412cb1feaf124484787af939dea
Instruction Fuzzy Hash: 58F03AB08692A19BDA12AF55BD91D0C3FA8F75C761780090BF420DA3B1C7711CA2FBA4

Function 009295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009295D4
StrokeAndFillPath.GDI32(?,?,009671F7,00000000,?,?,?), ref: 009295F0
SelectObject.GDI32(?,00000000), ref: 00929603
DeleteObject.GDI32 ref: 00929616
StrokePath.GDI32(?), ref: 00929631

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 95f102af85f9c2a30fb4b90a6d5ddebf20226d1a3e25d10c980795c9362e9b46
Instruction ID: 93f5c8a895f319608a8ce0a7babfc3f1a6b68536c4821ea175e2b14d6363864e
Opcode Fuzzy Hash: 95f102af85f9c2a30fb4b90a6d5ddebf20226d1a3e25d10c980795c9362e9b46
Instruction Fuzzy Hash: 5CF03C7002D354EBDB125F65FD5CB643BA5AB02362F048214F4255D0F2CB348991EF60

Function 00940F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009410F9
__freea.LIBCMT ref: 00941117

Part of subcall function 00941537: _free.LIBCMT ref: 0094154F

Strings

a/p, xrefs: 009411DE
am/pm, xrefs: 0094117A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4450cc1a5459429d39e03f52ccb9b88bb68d98ea71062864c514a6f5c4f1f5d3
Instruction ID: 09095ad4024af51c11115ccae1bf43056b384336f3baef438cec65ab89e53485
Opcode Fuzzy Hash: 4450cc1a5459429d39e03f52ccb9b88bb68d98ea71062864c514a6f5c4f1f5d3
Instruction Fuzzy Hash: 25D13531A14206CBCB289F68C895FFEBBB8FF45700F284559E911AB650E3799DC0CB91

Function 00997B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00930242: EnterCriticalSection.KERNEL32(009E070C,009E1884,?,?,0092198B,009E2518,?,?,?,009112F9,00000000), ref: 0093024D
Part of subcall function 00930242: LeaveCriticalSection.KERNEL32(009E070C,?,0092198B,009E2518,?,?,?,009112F9,00000000), ref: 0093028A

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 009300A3: __onexit.LIBCMT ref: 009300A9

__Init_thread_footer.LIBCMT ref: 00997BFB

Part of subcall function 009301F8: EnterCriticalSection.KERNEL32(009E070C,?,?,00928747,009E2514), ref: 00930202
Part of subcall function 009301F8: LeaveCriticalSection.KERNEL32(009E070C,?,00928747,009E2514), ref: 00930235

Strings

Variable must be of type 'Object'., xrefs: 00997C3A
G, xrefs: 00997C7F
5, xrefs: 00997C78

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: ff1ff556e5d03fb98f3a07c9989c317c9379b2786350bd7636f1b72b0d38df9a
Instruction ID: 3e3cc78616664a2fc550eaf0fe914e8bf05cb092ac0d6e3278687050c821a198
Opcode Fuzzy Hash: ff1ff556e5d03fb98f3a07c9989c317c9379b2786350bd7636f1b72b0d38df9a
Instruction Fuzzy Hash: 83919A70A14209AFCF14EF98D891ABDB7B5BF89300F148459F8469B392DB71AE81CB51

Function 00972716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0097B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009721D0,?,?,00000034,00000800,?,00000034), ref: 0097B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00972760

Part of subcall function 0097B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0097B3F8

Part of subcall function 0097B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0097B355
Part of subcall function 0097B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00972194,00000034,?,?,00001004,00000000,00000000), ref: 0097B365
Part of subcall function 0097B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00972194,00000034,?,?,00001004,00000000,00000000), ref: 0097B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0097281A

Strings

@, xrefs: 00972832

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: bd7cffdd6fbf0c3298c08689a4dd92b8f1eb7cfc7388f6a32ede15f868057bd9
Instruction ID: 9a7e5c9bde4ef568ce24e4a810208122cafe865cc558f14509cd4186c0146b37
Opcode Fuzzy Hash: bd7cffdd6fbf0c3298c08689a4dd92b8f1eb7cfc7388f6a32ede15f868057bd9
Instruction Fuzzy Hash: 06413B72900218AFDB10DBA4CD41BEEBBB8AF49300F108095FA59B7191DB716E85DBA1

Function 0094172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00941769
_free.LIBCMT ref: 00941834
_free.LIBCMT ref: 0094183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00941760, 00941767, 00941796, 009417CE

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 8f8e31cb104ce3d0129be3a4e534ff5ca3764ed4e0b02b523bc63170f0e8e61a
Instruction ID: 1f14e65318ffc5c28a6e2fc8b7fc1db3e66f7eab7be40b37c142b6f6f6270716
Opcode Fuzzy Hash: 8f8e31cb104ce3d0129be3a4e534ff5ca3764ed4e0b02b523bc63170f0e8e61a
Instruction Fuzzy Hash: 14316D71A44258EFDB21DB99DC85E9EBBFCEB85310B144166F914DB311D6708E80DB90

Function 0097C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0097C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0097C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009E1990,01095530), ref: 0097C395

Strings

0, xrefs: 0097C2DF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9786c054f25362ca1e077a652139f112218357e422925af71b07d69bbbb64415
Instruction ID: 96326d6816f1b3380bc161aea595d62a6c3aaac808a0eddfe8cb565f69819685
Opcode Fuzzy Hash: 9786c054f25362ca1e077a652139f112218357e422925af71b07d69bbbb64415
Instruction Fuzzy Hash: 644192B22083019FD724DF25D885B5ABBE8AFC5321F14CA1DF9A9972D1D770E904CB62

Function 009A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009ACC08,00000000,?,?,?,?), ref: 009A44AA
GetWindowLongW.USER32 ref: 009A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A44D7

Strings

SysTreeView32, xrefs: 009A447C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 38d0981b1971d8997132948c8e49888547b916c552d303362140e14fa90479e7
Instruction ID: 20c64188543dbf2bd569e42e988cc3b540eb5fc21a8d7e18285a51513e4f8eb5
Opcode Fuzzy Hash: 38d0981b1971d8997132948c8e49888547b916c552d303362140e14fa90479e7
Instruction Fuzzy Hash: F431CD31214205AFDB208F38DC45BEA77E9EB8A334F204725F975921E0D7B0EC509B90

Function 0099304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0099335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00993077,?,?), ref: 00993378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0099307A
_wcslen.LIBCMT ref: 0099309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00993106

Strings

255.255.255.255, xrefs: 00993095, 0099309A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 1681d0a3761e94cb428fcdcfdc2f8ca8ac42e6f353681595f42b1bc786808a2f
Instruction ID: 21ac8ca11ba95eaf44bb421bd3df4b4e2289bd20e5c41e953796706119417406
Opcode Fuzzy Hash: 1681d0a3761e94cb428fcdcfdc2f8ca8ac42e6f353681595f42b1bc786808a2f
Instruction Fuzzy Hash: 3F31C1392042059FCF20CF6CC485EAA77E4EF55318F24C059E9158B3A2DB36EE85C760

Function 009A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 009A3F78

Strings

SysMonthCal32, xrefs: 009A3F0B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5c740af4c8334c73ed9ad69256e7c5b82863b186acf3b0e3da71b7f5e8b3f385
Instruction ID: e7ecc2f38bfbdfffcad8feb39bc8525640ba4be9e07804808d8ae21eb8835889
Opcode Fuzzy Hash: 5c740af4c8334c73ed9ad69256e7c5b82863b186acf3b0e3da71b7f5e8b3f385
Instruction Fuzzy Hash: F521BF32610219BFEF218F90CC46FEA3B79EF89714F114214FA156B1D0D6B1AC909BD0

Function 009A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009A471A

Strings

msctls_updown32, xrefs: 009A4684

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 35eec9d58cb730771ab32b4c785c362cbd69b137c756843990d9a06d2aa9320a
Instruction ID: 3b66a25db26dee8c074d8410fbdb97e7fd80d12799d78ae0683cac1a0c046184
Opcode Fuzzy Hash: 35eec9d58cb730771ab32b4c785c362cbd69b137c756843990d9a06d2aa9320a
Instruction Fuzzy Hash: D2215EB5605249AFDB10DF68DCC1DBB37ADEF8B398B040459FA009B261DB70EC51DAA0

Function 009795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0097961D

Strings

#notrayicon, xrefs: 009795B7
#OnAutoItStartRegister, xrefs: 009795F3
#requireadmin, xrefs: 009795D9

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9775697f4abbcf06fb22708e79ad26c97193dcd2507b7794c1d99e353081be45
Instruction ID: 6b33c09cd93bf52c48baabbf709fd85f64df85fe218dc6cae91a93197ff6e7de
Opcode Fuzzy Hash: 9775697f4abbcf06fb22708e79ad26c97193dcd2507b7794c1d99e353081be45
Instruction Fuzzy Hash: B721577320422166C331BB259C16FBBB3ECEFD2314F108426F94D9B181EB55AD81C2E5

Function 009A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009A3876

Strings

Listbox, xrefs: 009A380F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8d839987150aa5af0deef745f70359576a436eae95898812933301e75bff5cdb
Instruction ID: 51543b03ba7c1787c338a56e6155cd5c2a437501bebbc55c003c9331a8e0ad5f
Opcode Fuzzy Hash: 8d839987150aa5af0deef745f70359576a436eae95898812933301e75bff5cdb
Instruction Fuzzy Hash: D1218E72614218BBEF218FA5CC85FAB376EEF8A754F108125F9049B190CA75DC528BE0

Function 009849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00984A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00984A5C
SetErrorMode.KERNEL32(00000000,?,?,009ACC08), ref: 00984AD0

Strings

%lu, xrefs: 00984A6F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4323c59915428f222d5cf961578823d09b4ca7420d61bc28a3b93cb065fb6150
Instruction ID: baf832318e0a4ecee6d4e7da304741bd02fcad559e22a3f686b42364a15736ee
Opcode Fuzzy Hash: 4323c59915428f222d5cf961578823d09b4ca7420d61bc28a3b93cb065fb6150
Instruction Fuzzy Hash: C1314C75A04109AFDB10DF54C885EAA7BF8EF49308F1480A5E909DF352DB71EE45CBA1

Function 009A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009A4271

Strings

msctls_trackbar32, xrefs: 009A4226

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 82f184cdc8be4d6838cca9536ba98b60497fd2b4de5a4a052264fd370156e69b
Instruction ID: ff592bad55e19dd8c81b916a097a1bf3a334703c553e64c724221af03a3a13c6
Opcode Fuzzy Hash: 82f184cdc8be4d6838cca9536ba98b60497fd2b4de5a4a052264fd370156e69b
Instruction Fuzzy Hash: FB112931240248BEEF205F79CC46FAB3BACEFD6B54F010524FA55E60A0D6B1DC519BA0

Function 00972F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Part of subcall function 00972DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00972DC5
Part of subcall function 00972DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00972DD6
Part of subcall function 00972DA7: GetCurrentThreadId.KERNEL32 ref: 00972DDD
Part of subcall function 00972DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00972DE4

GetFocus.USER32 ref: 00972F78

Part of subcall function 00972DEE: GetParent.USER32(00000000), ref: 00972DF9

GetClassNameW.USER32(?,?,00000100), ref: 00972FC3
EnumChildWindows.USER32(?,0097303B), ref: 00972FEB

Strings

%s%d, xrefs: 00972FFF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 15918bb1f52f8673b098e48ca9dfe0e89ccfed3a8e4be794ad90b35e42fe72f0
Instruction ID: 9c0c70536ac39c250659a6497744021c4d15e0c055e3e54dc4434bf728c832f3
Opcode Fuzzy Hash: 15918bb1f52f8673b098e48ca9dfe0e89ccfed3a8e4be794ad90b35e42fe72f0
Instruction Fuzzy Hash: E811A2B27002096BCF14BF709C86FED376AAFC4314F04C075B90DAB292DE3099459B60

Function 009A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009A58EE
DrawMenuBar.USER32(?), ref: 009A58FD

Strings

0, xrefs: 009A588F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 75195d78bad098d089565f096754ada617bcc07095599b2c581cdbf2563dffe5
Instruction ID: 8435389ab78e880b262d8d11d8f6a0911cf37a49a87606aa36bb859591014f25
Opcode Fuzzy Hash: 75195d78bad098d089565f096754ada617bcc07095599b2c581cdbf2563dffe5
Instruction Fuzzy Hash: 5C019B71614218DFDB119F11DC44BAF7BB8FF86360F1180A9F849DA151DB308A84EF61

Function 0097007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421c24a445055f9b05ac9f14a7f51a51c438e076bc7aa715bbdf1b13da9b5b6c
Instruction ID: 927218489c629cdc3d3a354a641d6bd6809e825ba2804a79d8f0217f11edf5b4
Opcode Fuzzy Hash: 421c24a445055f9b05ac9f14a7f51a51c438e076bc7aa715bbdf1b13da9b5b6c
Instruction Fuzzy Hash: E0C14C76A0020AEFDB14CFA4C894BAEB7B9FF88714F108598E519EB251D731ED41DB90

Function 00943E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00943F0B
__alldvrm.LIBCMT ref: 0094410C
__alldvrm.LIBCMT ref: 0094412E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 190cc874151e7127a7039461bbeb22963bf223b9f011ec9ddff340a5e8cf3cbf
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 59A16B71E043869FEB25CF28C891FAEBBF8EF65350F1441ADE5959B281C6388D85CB50

Function 0099342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00993459
CoUninitialize.OLE32 ref: 00993463
VariantInit.OLEAUT32(?), ref: 0099346E
VariantClear.OLEAUT32(?), ref: 0099371B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 41f5b0316af1b0fd2c5cb40ed06f0b2fc57f4e41e6b7dfeba87e63f1089bee2b
Instruction ID: d9a238b1220691538c8208446bcafd7c6083727ef1a453ebd419e70e90c9c199
Opcode Fuzzy Hash: 41f5b0316af1b0fd2c5cb40ed06f0b2fc57f4e41e6b7dfeba87e63f1089bee2b
Instruction Fuzzy Hash: CEA149753042059FCB10DF68C485A6AB7E9FF88714F058859F98A9B362DB30EE41CB92

Function 00970436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009AFC08,?), ref: 009705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009AFC08,?), ref: 00970608
CLSIDFromProgID.OLE32(?,?,00000000,009ACC40,000000FF,?,00000000,00000800,00000000,?,009AFC08,?), ref: 0097062D
_memcmp.LIBVCRUNTIME ref: 0097064E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a1f29184e08b9db128f512bf12c9c40267e135d5e3d7696e1f0bbc422b1d3703
Instruction ID: cf986d0c9e676ecfd0a14bb207b2e0f040581c63d519d2f0390cf424363b4fce
Opcode Fuzzy Hash: a1f29184e08b9db128f512bf12c9c40267e135d5e3d7696e1f0bbc422b1d3703
Instruction Fuzzy Hash: 6C810972A00109EFCB04DF94C994EEEB7B9FF89315F208558F516AB250DB71AE46CB60

Function 0099A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0099A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0099A6BA

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Process32NextW.KERNEL32(00000000,?), ref: 0099A79C
CloseHandle.KERNEL32(00000000), ref: 0099A7AB

Part of subcall function 0092CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00953303,?), ref: 0092CE8A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9a6fa91b8b85c1f4f7f411a54c41afac0fb5d81a16de5932256748de68e98929
Instruction ID: 40e8d05b46da4e2ac87387fb2efec90aee96a97c92d7a696608e2f127569adcb
Opcode Fuzzy Hash: 9a6fa91b8b85c1f4f7f411a54c41afac0fb5d81a16de5932256748de68e98929
Instruction Fuzzy Hash: 49515EB1608314AFD710EF24D886A6BBBE8FFC9754F00891DF59597261EB30E944CB92

Function 00951391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009514C0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 476aed1dde627c2ff6a3ba124e8044b554468575aee42659ed9df8d2a1c5d9e2
Instruction ID: 6b8254c881d69665c8b2d5cf03d4d41cc6f950723f50cb8349f4bcb01fb7b0d4
Opcode Fuzzy Hash: 476aed1dde627c2ff6a3ba124e8044b554468575aee42659ed9df8d2a1c5d9e2
Instruction Fuzzy Hash: E2414A31A00111ABDB25EFFB9C45BBF3AA8EF81371F140625FC29D61A2E67488455761

Function 009A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009A62E2
ScreenToClient.USER32(?,?), ref: 009A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009A6382

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7ab156543fd399c4e73af6662625f9888d3ce0761e05e2e07ab8b4790d24b85b
Instruction ID: 84ee6f478c201331ee9e15522f2b29184885d0288652440b4462d3e06e8a5ba6
Opcode Fuzzy Hash: 7ab156543fd399c4e73af6662625f9888d3ce0761e05e2e07ab8b4790d24b85b
Instruction Fuzzy Hash: F1514D74A00249EFCF10DF68D880AAE7BB9FF46364F148159F9159B2A1DB30ED81DB90

Function 00991AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00991AFD
WSAGetLastError.WSOCK32 ref: 00991B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00991B8A
WSAGetLastError.WSOCK32 ref: 00991B94

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 1fca3372dafad74514ba5f12664e3b9fdc34a66ae5bfd56328941669d2e7170a
Instruction ID: 85442beb05b77da95f246fb91511b16cec9069f7acf5c24c865e2e893e8dda19
Opcode Fuzzy Hash: 1fca3372dafad74514ba5f12664e3b9fdc34a66ae5bfd56328941669d2e7170a
Instruction Fuzzy Hash: 2B4190747402016FEB20AF24D886F6577E5AF84718F548458F91A9F3D3E772ED828B90

Function 0094B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7d0eee610c1d4a4e42be1377442c75c92a6093f67766a251710d255d81a3d0
Instruction ID: 36e4fb35fe0fe02a8cd5d979d2cc4c7429afceb58066fac6880bd8e2e484b210
Opcode Fuzzy Hash: ee7d0eee610c1d4a4e42be1377442c75c92a6093f67766a251710d255d81a3d0
Instruction Fuzzy Hash: D8410675A00304AFD7249F38CC42FAABBE9EBC8720F10452AF556DB692D771E9058B80

Function 009856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00985783
GetLastError.KERNEL32(?,00000000), ref: 009857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009857FA

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e3f02cfb1204553b8d269dd5e17f22a0c6b2be30cef983f320ed44fa6dae6f8e
Instruction ID: 7725e9f69d064ddaeff9b5f7020b40ae73872f18f86c387ae177ea07e23521de
Opcode Fuzzy Hash: e3f02cfb1204553b8d269dd5e17f22a0c6b2be30cef983f320ed44fa6dae6f8e
Instruction Fuzzy Hash: B2411639704615DFCB11EF55C444A5ABBF6AF89320B198888E84AAB362CB34FD41CB91

Function 0094D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00936D71,00000000,00000000,009382D9,?,009382D9,?,00000001,00936D71,8BE85006,00000001,009382D9,009382D9), ref: 0094D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0094D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0094D9AB
__freea.LIBCMT ref: 0094D9B4

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6682a84f7822e22c9df4d8adc44917efcde4c89f8fcb8d42aaa0b0623f1f520c
Instruction ID: c9dd804ead9d42ee0661dc710e0c6a7380808109093db5e71419d2563056833c
Opcode Fuzzy Hash: 6682a84f7822e22c9df4d8adc44917efcde4c89f8fcb8d42aaa0b0623f1f520c
Instruction Fuzzy Hash: A331BC72A0220AABDF24DF65DC45EAE7BA9EF81710F054168FC04DB290EB35DD50CBA0

Function 009A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009A5352
GetWindowLongW.USER32(?,000000F0), ref: 009A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009A53A8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 18cd4362cd20e03a6b7d322829a821eb2be4a501d05af6dc01de4014487d547b
Instruction ID: ad11ec6a7386e731637163129bb790c3d0e5578b3217aca87bad22bee62cca11
Opcode Fuzzy Hash: 18cd4362cd20e03a6b7d322829a821eb2be4a501d05af6dc01de4014487d547b
Instruction Fuzzy Hash: 4B31D030B59A08FFEF349A14CC46BE83769AB86390F594401FA11961E1CBB59D80EBC1

Function 0097AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0097ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0097AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0097AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0097ACC6

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d9edba437dace82c9010ebcab495d62a0512afd6d4e3bb8837a8c9b01e7cbdd1
Instruction ID: 8ccea165bc31c9fdb6c66cc926c821f1fa827fae524946d47502415739987eb7
Opcode Fuzzy Hash: d9edba437dace82c9010ebcab495d62a0512afd6d4e3bb8837a8c9b01e7cbdd1
Instruction Fuzzy Hash: 41311872A04218BFEF26CB658805BFE7AA9AFC5310F0CC61AE4C9561D1C37889819792

Function 009A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009A769A
GetWindowRect.USER32(?,?), ref: 009A7710
PtInRect.USER32(?,?,009A8B89), ref: 009A7720
MessageBeep.USER32(00000000), ref: 009A778C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0a785c2a6ac649b7e35d66bf67f186d0d79024ca4a029c6f83ed8c8e8df3fc2d
Instruction ID: 5fd97ac3e3c256a4f41daabea7c4152fc785d6ffa0e17bb1a901a922f3b2da43
Opcode Fuzzy Hash: 0a785c2a6ac649b7e35d66bf67f186d0d79024ca4a029c6f83ed8c8e8df3fc2d
Instruction Fuzzy Hash: D4417A34A09255DFCB01CF98DC96EA9B7F9FF4A314F1940A8E8149F262D730A941DBD0

Function 009A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009A16EB

Part of subcall function 00973A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00973A57
Part of subcall function 00973A3D: GetCurrentThreadId.KERNEL32 ref: 00973A5E
Part of subcall function 00973A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009725B3), ref: 00973A65

GetCaretPos.USER32(?), ref: 009A16FF
ClientToScreen.USER32(00000000,?), ref: 009A174C
GetForegroundWindow.USER32 ref: 009A1752

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 56cb23cde809e34f21ef469d8bd6c79b4139e2e52b40fd2efb019b59b2f9063c
Instruction ID: b5ef865e7098affe4f719015f6eff2ec78372ebc967ee029a5fb4209dbeedc75
Opcode Fuzzy Hash: 56cb23cde809e34f21ef469d8bd6c79b4139e2e52b40fd2efb019b59b2f9063c
Instruction Fuzzy Hash: 07311DB5E04249AFC704EFA9C8819EEBBF9EF89304B5480A9E415E7211D631DE45CBA0

Function 0097DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

_wcslen.LIBCMT ref: 0097DFCB
_wcslen.LIBCMT ref: 0097DFE2
_wcslen.LIBCMT ref: 0097E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0097E018

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: bb441c90443f965ea1754b8757cbfcce3075c0008e3ae5740463a9d319a85f3b
Instruction ID: 87b8184ea591798bfaff97f5d461505540be4d2fa46844de54fedb7731b39168
Opcode Fuzzy Hash: bb441c90443f965ea1754b8757cbfcce3075c0008e3ae5740463a9d319a85f3b
Instruction Fuzzy Hash: F921C972901214EFCB10DFA8D982BAEB7F8EF89760F154065E805BB245D7709D40CBE1

Function 009A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

GetCursorPos.USER32(?), ref: 009A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00967711,?,?,?,?,?), ref: 009A9016
GetCursorPos.USER32(?), ref: 009A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00967711,?,?,?), ref: 009A9094

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 249cce87100b9fd79634ea454df9e2adc4cf27bbbce368266d5f3ff692789568
Instruction ID: 3f92d2db6212e650c316a7655b0a6c9f612d8a8595866500495c3c4671e4900c
Opcode Fuzzy Hash: 249cce87100b9fd79634ea454df9e2adc4cf27bbbce368266d5f3ff692789568
Instruction Fuzzy Hash: ED219F35615028EFCB258F94D898EEA7BB9FF8A390F144055F9054B261C3319D90EBA0

Function 0097D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009ACB68), ref: 0097D2FB
GetLastError.KERNEL32 ref: 0097D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0097D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009ACB68), ref: 0097D376

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e1a32aab0e313374ee48225a09d310f139535b1370395370a9ef6ed85e09148b
Instruction ID: 01d56c5fa31bdc271d900303ef3f6b148e30021540f20191cc205bd905df07ab
Opcode Fuzzy Hash: e1a32aab0e313374ee48225a09d310f139535b1370395370a9ef6ed85e09148b
Instruction Fuzzy Hash: A621837160A2019F8710DF24C8819AA77F8EF96768F108A1DF4A9C72A1DB31D946CB93

Function 00971571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00971014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0097102A
Part of subcall function 00971014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00971036
Part of subcall function 00971014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971045
Part of subcall function 00971014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0097104C
Part of subcall function 00971014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009715BE
_memcmp.LIBVCRUNTIME ref: 009715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00971617
HeapFree.KERNEL32(00000000), ref: 0097161E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: da966432ad8d3aef1804a9f5e5015fbd10c1d58203c473cf1e1573a3ceb5434b
Instruction ID: 0af4764b63b787bb30f68479fb4207a0bd0111bf373acf69c66906f111aa0974
Opcode Fuzzy Hash: da966432ad8d3aef1804a9f5e5015fbd10c1d58203c473cf1e1573a3ceb5434b
Instruction Fuzzy Hash: 2A21A172E00109EFDF14DFA8C945BEEB7B8EF45344F198459E445AB241E730AA05EF90

Function 009A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009A2840

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 66972ba8f6a9af5dd506940b422329c0330a8651b424d155a1d155ef7afea5ad
Instruction ID: 00b755b965804ecaacd386061aad213b6b3239b72eaff494c3d6883c900f13dd
Opcode Fuzzy Hash: 66972ba8f6a9af5dd506940b422329c0330a8651b424d155a1d155ef7afea5ad
Instruction Fuzzy Hash: 2E21CF31608515AFD7149B28C844FAA7B9AEF87324F148158F4268F6E2CB75FD82CBD0

Function 009778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00978D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0097790A,?,000000FF,?,00978754,00000000,?,0000001C,?,?), ref: 00978D8C
Part of subcall function 00978D7D: lstrcpyW.KERNEL32(00000000,?,?,0097790A,?,000000FF,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00978DB2
Part of subcall function 00978D7D: lstrcmpiW.KERNEL32(00000000,?,0097790A,?,000000FF,?,00978754,00000000,?,0000001C,?,?), ref: 00978DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00977923
lstrcpyW.KERNEL32(00000000,?,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00977949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00977984

Strings

cdecl, xrefs: 0097797B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 78edb682550d45e32aa1b2654088c9d8caa5b8d46f5e3b1cdf702d92afbe1c9d
Instruction ID: ba1e4c836afca9a51bbeedbc3f57db3f17a4fb89effdb772499c6553e5186305
Opcode Fuzzy Hash: 78edb682550d45e32aa1b2654088c9d8caa5b8d46f5e3b1cdf702d92afbe1c9d
Instruction Fuzzy Hash: DA11063B205201AFCB155F74D849E7BB7A9FF85390B00802AF90ACB2A4EF319801D791

Function 009A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0098B7AD,00000000), ref: 009A7D6B

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9345cda7494cfa63156823855fd31d12384e73a1ff661b159bf5a79cfbe66bbe
Instruction ID: bfa8603f08a52de0ec0d6fa2fbc44c639e5b2423ef5947ee64fb7a0a96c564d1
Opcode Fuzzy Hash: 9345cda7494cfa63156823855fd31d12384e73a1ff661b159bf5a79cfbe66bbe
Instruction Fuzzy Hash: AA11A271618665AFCB109F68DC04A6A7BA9AF47360B154724F835DB2F0D7309D50DB90

Function 009A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009A56BB
_wcslen.LIBCMT ref: 009A56CD
_wcslen.LIBCMT ref: 009A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009A5816

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 5da412b72da1146b8969910f09536c86fa45e6280437bba622cec2e8e31b1a03
Instruction ID: c7f0120b3d2725ad2ab30abfa27b8507995c1881e826f75600b2517e33ecf5e2
Opcode Fuzzy Hash: 5da412b72da1146b8969910f09536c86fa45e6280437bba622cec2e8e31b1a03
Instruction Fuzzy Hash: F211EE71B00608A6DB20DFA28C81AEE77ACAF46760F504426F905DA081EB748A80CBE0

Function 00941D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d239b9e6250e66046b7bd53ab6d81095028b35b48100f9e36ca5982c90593fd
Instruction ID: 188123f34d3e62c0d793462afa8867b972a849d66afb0351cc1866618ca0b6f1
Opcode Fuzzy Hash: 1d239b9e6250e66046b7bd53ab6d81095028b35b48100f9e36ca5982c90593fd
Instruction Fuzzy Hash: 76016DF2A196167FF6212AB86CC1F67671DEF863B8B340726F531A51D2DB709C805170

Function 00971A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00971A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00971A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00971A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00971A8A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 51ada7ac6a7407a3e7f02f268c9cf4b41ad6cbb8fa6e1d22807fa1ae852444cc
Instruction ID: 2972cac6c2b8b8b5d5d458d3a5a65f137522404f672732175676873b76ad4f47
Opcode Fuzzy Hash: 51ada7ac6a7407a3e7f02f268c9cf4b41ad6cbb8fa6e1d22807fa1ae852444cc
Instruction Fuzzy Hash: CE11097AD01219FFEF11DBA9CD85FADBB78EB08750F204091EA04B7290D6716E50DB94

Function 0097E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0097E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0097E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0097E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0097E24D

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 20caa669e6461443dbc65ec7b067c62689cef7124bf4368686f0b89321a10e7f
Instruction ID: cbf8c18b64daf938d2def18648d9192c8d48c8eb65ca27e98510bb32a9fd7db4
Opcode Fuzzy Hash: 20caa669e6461443dbc65ec7b067c62689cef7124bf4368686f0b89321a10e7f
Instruction Fuzzy Hash: 36112BB6A1C254BBC7019FA89C45A9F7FAC9F45310F008255F828E7291D670CD0097A0

Function 0093D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0093CFF9,00000000,00000004,00000000), ref: 0093D218
GetLastError.KERNEL32 ref: 0093D224
__dosmaperr.LIBCMT ref: 0093D22B
ResumeThread.KERNEL32(00000000), ref: 0093D249

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ed857dd12e9e6af20dbc262725c953deefe9b55089a855a3e477c1cfa54f30ae
Instruction ID: b78b0078b67c0c893b01fc0ff2e2e7888cea96702683c88217a50d85311c5507
Opcode Fuzzy Hash: ed857dd12e9e6af20dbc262725c953deefe9b55089a855a3e477c1cfa54f30ae
Instruction Fuzzy Hash: 1801D27680A204BBCB215BA5EC19BAB7A6DEFC2731F100219F935961D0CF71C901DBA0

Function 009A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

GetClientRect.USER32(?,?), ref: 009A9F31
GetCursorPos.USER32(?), ref: 009A9F3B
ScreenToClient.USER32(?,?), ref: 009A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 009A9F7A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4ea752cc2753f7d605464ad997915417952cc65513f88bcfa02df604fe14881e
Instruction ID: 0f00dc4d5612ece75648b1bf243a34e629a272eb93dc098696d1c8de522854df
Opcode Fuzzy Hash: 4ea752cc2753f7d605464ad997915417952cc65513f88bcfa02df604fe14881e
Instruction Fuzzy Hash: F511107290425AAFDB149FA8D889AEE77B8FB46311F000451FA01E6140D330AE81DBE1

Function 0091600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0091604C
GetStockObject.GDI32(00000011), ref: 00916060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0091606A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 56f14451bc1f41fb615e349d2e1378f685e8791c6d5c6e2454792bf1dba58ee1
Instruction ID: aac3bf5fb201c983e6ec64ce6d1374c2964360607726ed3b4b9e955a80bd1ab8
Opcode Fuzzy Hash: 56f14451bc1f41fb615e349d2e1378f685e8791c6d5c6e2454792bf1dba58ee1
Instruction Fuzzy Hash: 641161B2A0654DBFEF128F959C54EEA7B6DEF0D354F040115FA1456110D7369CA0EB90

Function 00933B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00933B56

Part of subcall function 00933AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00933AD2
Part of subcall function 00933AA3: ___AdjustPointer.LIBCMT ref: 00933AED

_UnwindNestedFrames.LIBCMT ref: 00933B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00933B7C
CallCatchBlock.LIBVCRUNTIME ref: 00933BA4

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 17cd71064e37e25c27029b45e13a93f5f9d793c3972f7c39faf04ff6fb2395e1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8B012932140148BBDF125E95CC46EEB7B7EEF88754F058014FE48A6121C736E961DFA0

Function 00943073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009113C6,00000000,00000000,?,0094301A,009113C6,00000000,00000000,00000000,?,0094328B,00000006,FlsSetValue), ref: 009430A5
GetLastError.KERNEL32(?,0094301A,009113C6,00000000,00000000,00000000,?,0094328B,00000006,FlsSetValue,009B2290,FlsSetValue,00000000,00000364,?,00942E46), ref: 009430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0094301A,009113C6,00000000,00000000,00000000,?,0094328B,00000006,FlsSetValue,009B2290,FlsSetValue,00000000), ref: 009430BF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e28388e6cc3f6e07f4e79751f9cf8b18ef4fd148f7d33d41a47721bd84c48176
Instruction ID: e29daa5ab2b73fcf84d74aa1cb42ec7e68291b84dbeec15d0ba4cf76fc135e8a
Opcode Fuzzy Hash: e28388e6cc3f6e07f4e79751f9cf8b18ef4fd148f7d33d41a47721bd84c48176
Instruction Fuzzy Hash: 6801DB72729222ABCB314B799C45E577B9CAF46B71B218720F915E7140DB25DD01C6E0

Function 00977464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0097747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00977497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009774CA

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 658524f9d13f1b9617a0b1973a2446289032bc5039b5bd198d389aa0c2b4d23c
Instruction ID: 1af79b64ee70bf544f5c8fb6e5e0b5d88e29b10cca5d9aee39ca160d44605252
Opcode Fuzzy Hash: 658524f9d13f1b9617a0b1973a2446289032bc5039b5bd198d389aa0c2b4d23c
Instruction Fuzzy Hash: B21161B62093159BE7208FA4DC09F92BFFDEF04B04F10C969A65ADA161D7B4E904DB90

Function 0097B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B126

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 73482896d8d728cebb8a5a718f65c516aa01c045cd48bf5f13865f8accb7ac00
Instruction ID: bdcae5d88ab0548701625d369c4ae4a6bf496b7928c518aadb5f93006b7a4fd0
Opcode Fuzzy Hash: 73482896d8d728cebb8a5a718f65c516aa01c045cd48bf5f13865f8accb7ac00
Instruction Fuzzy Hash: 7E11AD72E0952DEBCF00AFE4E9A87EEBB78FF0A711F008086D945B2185CB304651DB91

Function 009A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009A7E33
ScreenToClient.USER32(?,?), ref: 009A7E4B
ScreenToClient.USER32(?,?), ref: 009A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009A7E8A

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 12a4b6ab32438adecde674580b369cc7755dd04b24765156e6067fbee0cf5257
Instruction ID: 1733ba5763b418cc2a5898a5b3f15dca6db62a2c65e052ecf09a9685a100eef7
Opcode Fuzzy Hash: 12a4b6ab32438adecde674580b369cc7755dd04b24765156e6067fbee0cf5257
Instruction Fuzzy Hash: D41140B9D0420AAFDB41CF98C884AEEBBF9FF09310F509066E915E2210D735AA54DF90

Function 00972DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00972DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00972DD6
GetCurrentThreadId.KERNEL32 ref: 00972DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00972DE4

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8eb5f0e0caf6b022109d260ae8517d14923b09bbf1c85644ba899db77ce434a5
Instruction ID: 9373eace9b1cc9f0303d78c7c58965f0655bf1b388cac5bc1ef0698afcc6c2d4
Opcode Fuzzy Hash: 8eb5f0e0caf6b022109d260ae8517d14923b09bbf1c85644ba899db77ce434a5
Instruction Fuzzy Hash: 91E092B26292247BD7305B729C0DFEB3E6CFF43BA1F004015F109D90809AA4C840D6F0

Function 009A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00929639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00929693
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296A2
Part of subcall function 00929639: BeginPath.GDI32(?), ref: 009296B9
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009A8887
LineTo.GDI32(?,?,?), ref: 009A8894
EndPath.GDI32(?), ref: 009A88A4
StrokePath.GDI32(?), ref: 009A88B2

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: fe061232b8aaec2fa76543ca7efbca313dee25c2f3301ba233c3487b358b61fd
Instruction ID: c14f3fd7b7c4ad321b594bbe86ddcb84e54d2b223e528762e59ec7b73a09ea11
Opcode Fuzzy Hash: fe061232b8aaec2fa76543ca7efbca313dee25c2f3301ba233c3487b358b61fd
Instruction Fuzzy Hash: 13F03A36059268BADB125F94AC0DFCE3A59AF07310F448000FA11690E2CB795511EBE9

Function 009298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009298CC
SetTextColor.GDI32(?,?), ref: 009298D6
SetBkMode.GDI32(?,00000001), ref: 009298E9
GetStockObject.GDI32(00000005), ref: 009298F1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f92155ba614450e2a18bdb226d59a672d1147eb50cdf0588a2fb20b62eae2a54
Instruction ID: 089931c3ea8bde31a18ab66ba35b4676c7736c79319cfec15e08c68d58df2d0b
Opcode Fuzzy Hash: f92155ba614450e2a18bdb226d59a672d1147eb50cdf0588a2fb20b62eae2a54
Instruction Fuzzy Hash: DBE06D7125C280AADB215B74BC09BE87F65EF1333AF048219F6FA580E1C7724680AB10

Function 0097162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00971634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009711D9), ref: 0097163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009711D9), ref: 00971648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009711D9), ref: 0097164F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0b77bc6c4a2737abb482b46f4fb766000b3239bc9a25e4342a1c2c92b4665621
Instruction ID: 91c169c0b5c48bb9028b39abcf09eb1dfe6a8bd34899d1e0ed213066168ae61f
Opcode Fuzzy Hash: 0b77bc6c4a2737abb482b46f4fb766000b3239bc9a25e4342a1c2c92b4665621
Instruction Fuzzy Hash: 4DE086B2615221DBDB201FA49D0DB473B7CAF46791F158808F645DD080DB348540D790

Function 0096D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0096D858
GetDC.USER32(00000000), ref: 0096D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0096D882
ReleaseDC.USER32(?), ref: 0096D8A3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: efe7ee3ff9bbcf0b09a75d5d50fe20efc4147e7003aaeb56c14e84e267179719
Instruction ID: 1062c477875888e799789d2b66ce3693884a916efc5e80cf0b34bcb05f3b6988
Opcode Fuzzy Hash: efe7ee3ff9bbcf0b09a75d5d50fe20efc4147e7003aaeb56c14e84e267179719
Instruction Fuzzy Hash: 3CE0E5B0914209DFCB419FA0980C66DBBB1EF09310B108409E806EB350CB389941AF80

Function 0096D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0096D86C
GetDC.USER32(00000000), ref: 0096D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0096D882
ReleaseDC.USER32(?), ref: 0096D8A3

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5fedeed2468cb2538c96910160eeea80f122a5288e98fd54525f2eafaa6d2ffe
Instruction ID: 3fe37e328ac8dee5d13c5d239e1e3cc0e5c0a47a432dd998ac4d3c51ac1bc7d7
Opcode Fuzzy Hash: 5fedeed2468cb2538c96910160eeea80f122a5288e98fd54525f2eafaa6d2ffe
Instruction Fuzzy Hash: DBE01AB0814209DFCF419FA0D80C66DBBB1FF09310B108408E806EB350CB389901AF80

Function 00984D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00984ED4

Strings

LPT, xrefs: 00984DFB
*, xrefs: 00984E10

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: fb3e4b7f4c7f6b38737e21dbc261941ae9bce1781c8953c1b2ace88e3e2af679
Instruction ID: d262b2db2139caa1627ffb27299d440940ee6bfedcc55bb087357a1534704374
Opcode Fuzzy Hash: fb3e4b7f4c7f6b38737e21dbc261941ae9bce1781c8953c1b2ace88e3e2af679
Instruction Fuzzy Hash: 73915175A002059FCB14EF58C484EAABBF5BF48308F19809DE94A9F362D735ED85CB91

Function 0093E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0093E30D

Strings

pow, xrefs: 0093E2E5, 0093E302

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fec79a6b09585fbb6908e56f80201908f183c1fb27e4c45fbd2e97b17adf4876
Instruction ID: 77ad4cb58785666f566a640ac39f7a74d40fd8907e56e6832c5c053573e4f18e
Opcode Fuzzy Hash: fec79a6b09585fbb6908e56f80201908f183c1fb27e4c45fbd2e97b17adf4876
Instruction Fuzzy Hash: 9F518E61E2C20A96CB157764CE45BBBBBACEF40750F344E58E0E5423F9EB348C919E46

Function 0092E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0092E1B1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ae419e96b0c256e2733a55e21e634b3d054da20f80570a47a1a008d2e59ff8e2
Instruction ID: 5ba1449660442d5a0a762fd75a6d46748f0419b37fd5440859743473a53e1b93
Opcode Fuzzy Hash: ae419e96b0c256e2733a55e21e634b3d054da20f80570a47a1a008d2e59ff8e2
Instruction Fuzzy Hash: 19513579A0425ADFDF15DF28D081AFA7BA8EF56310F248055F8A29B2C4D7349D42CBA0

Function 0092F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0092F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0092F2BB

Strings

@, xrefs: 0092F2AF

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 85a9c248a0471ba8d97101732512b2b52dc65286e641af2a3c21f52d3117525c
Instruction ID: 7384f24a0501f910b331ffbbfff6dda2a15fdcf607a75f7868364b4e34af7498
Opcode Fuzzy Hash: 85a9c248a0471ba8d97101732512b2b52dc65286e641af2a3c21f52d3117525c
Instruction Fuzzy Hash: 125135719187499BD320EF50D886BABBBF8FFC5300F81885DF199411A5EB308569CB66

Function 00995745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009957E0
_wcslen.LIBCMT ref: 009957EC

Strings

CALLARGARRAY, xrefs: 009957E6, 009957EB

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d0d60d1d42d3d23bfc8cd44ae029712d6e23452ea5e2d94d123134e3646c3894
Instruction ID: f4544ce7134ebc064cbddc544c9a7cfeaf45488d4c9220f8296622005ad2a630
Opcode Fuzzy Hash: d0d60d1d42d3d23bfc8cd44ae029712d6e23452ea5e2d94d123134e3646c3894
Instruction Fuzzy Hash: 10418171A002099FCF15DFA9C8859BEBBF9EF99324F114069E505A7261E7349D81CB90

Function 0098D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0098D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0098D13A

Strings

|, xrefs: 0098D10B

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ca68243524e967fa3712cd4179f343ce074e7abb3671db2186a4666bfd744968
Instruction ID: bb0b8ddb2e018445115b17b7a0866350073575d28ca7ccbfe3975e3deb0b0e1c
Opcode Fuzzy Hash: ca68243524e967fa3712cd4179f343ce074e7abb3671db2186a4666bfd744968
Instruction Fuzzy Hash: 46313D71D01209ABCF15EFA4CC85AEE7FB9FF45300F000119F815A6265DB35AA56DB50

Function 009A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009A365C

Strings

static, xrefs: 009A35BC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3282456b6dcd285e505d274030cd0b2a867d0ecd09ec272d73b2d11ee9f9a7fd
Instruction ID: 7737a6908a05b9944658498003d950709e879332f3767a0c05029da4739732eb
Opcode Fuzzy Hash: 3282456b6dcd285e505d274030cd0b2a867d0ecd09ec272d73b2d11ee9f9a7fd
Instruction Fuzzy Hash: 55318B71510204AEDB109F68DC81FFB73ADFF89724F009619F8A997280DA31AD81DBA0

Function 009A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 009A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009A4634

Strings

', xrefs: 009A458E

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 178ccf72854ce4abbf2a7deebc736ab61a484506534db539524a9fff2e5dd14f
Instruction ID: 35dfe155be1aec3b18b2a1fcae168c03b690118e6032784891f0b64d8389d74e
Opcode Fuzzy Hash: 178ccf72854ce4abbf2a7deebc736ab61a484506534db539524a9fff2e5dd14f
Instruction Fuzzy Hash: 3331F774A0130A9FDB14CFA9C991BDA7BB9FF8A300F14546AE905AB351D7B0A941CF90

Function 009A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009A3287

Strings

Combobox, xrefs: 009A3249

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: fea32e20c783ec451c51aa97feaffa4335176d172559b3bc93215237478ab09e
Instruction ID: 7c18ca3c8fe441c50d9aa989cc116a3961fc57e4fbdecbe0c477013900b33486
Opcode Fuzzy Hash: fea32e20c783ec451c51aa97feaffa4335176d172559b3bc93215237478ab09e
Instruction Fuzzy Hash: 6C11B2713042087FEF219E94DC81FBB3B6EEB9A3A4F108125F9289B290D6319D5197E0

Function 009A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0091600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0091604C
Part of subcall function 0091600E: GetStockObject.GDI32(00000011), ref: 00916060
Part of subcall function 0091600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0091606A

GetWindowRect.USER32(00000000,?), ref: 009A377A
GetSysColor.USER32(00000012), ref: 009A3794

Strings

static, xrefs: 009A3757

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 081f6e8dd4c7d93f3c472e50b68b656902bc660303fb57b1a86291bf747f085b
Instruction ID: 673f8650188b1a1468b51203f64980689c11cbbd4697daff66f6eb14de3bdb49
Opcode Fuzzy Hash: 081f6e8dd4c7d93f3c472e50b68b656902bc660303fb57b1a86291bf747f085b
Instruction Fuzzy Hash: C61129B2610209AFDB00DFA8CC45EFA7BF8EF09354F004914F955E6250E735E8519BA0

Function 0098CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0098CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0098CDA6

Strings

<local>, xrefs: 0098CD66

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fe40437733306bc6ffda3446a692e4c669ac6804ce2c00b6645a6ca4ac4de00e
Instruction ID: 682928ee6de5f9059c5f072562b842bc8da55461841e710c5c41945821c2157c
Opcode Fuzzy Hash: fe40437733306bc6ffda3446a692e4c669ac6804ce2c00b6645a6ca4ac4de00e
Instruction Fuzzy Hash: 2F11C2F1215631BAD7387B668C49EE7BEACEF127A4F00462AB10A932C0D7749841D7F0

Function 009A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009A34BA

Strings

edit, xrefs: 009A348F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ae0172db0bace4d48b1b0422222a84e9e6cdd68ddd409694d9decea27a7a5369
Instruction ID: cc52b3f4680792527be0b451b41756eee230bb616a57a8cc332cd79e878e8bfb
Opcode Fuzzy Hash: ae0172db0bace4d48b1b0422222a84e9e6cdd68ddd409694d9decea27a7a5369
Instruction Fuzzy Hash: EB118F71514208AFEB118F64DC84AEB37AEEF4A378F508724F961971E0C775DC919B90

Function 00976C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

CharUpperBuffW.USER32(?,?,?), ref: 00976CB6
_wcslen.LIBCMT ref: 00976CC2

Strings

STOP, xrefs: 00976CBC, 00976CC1

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 00a8bf65a0c5892a29d5a42b7cd7c36886da84c0faece7d3d4811182c1151bea
Instruction ID: af52c6e27cad0224979a6aacf758b9fcc1c6c071f56c8f4d282df043eaf34a93
Opcode Fuzzy Hash: 00a8bf65a0c5892a29d5a42b7cd7c36886da84c0faece7d3d4811182c1151bea
Instruction Fuzzy Hash: 6B01043361092A8ACB219FBDCC80ABF33A8EBA1710B154924E9AA96190EB35D940C650

Function 00971CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00971D4C

Strings

ComboBox, xrefs: 00971CEB
ListBox, xrefs: 00971D16

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 265dd58f1fd6dc886dffb0d1e50c1cd10c2b90b005421a31cd03dcf228dffd83
Instruction ID: 66d79e30e016e7ae6d68cad7e7e4f9ac20fa714750b97a6f2e7d3178b6ef8a8e
Opcode Fuzzy Hash: 265dd58f1fd6dc886dffb0d1e50c1cd10c2b90b005421a31cd03dcf228dffd83
Instruction Fuzzy Hash: A701DD72741118ABCB14EBA4CD51DFE7368EF86390B04851AFC6A573C1EA3459089B60

Function 00971BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00971C46

Strings

ComboBox, xrefs: 00971BE5
ListBox, xrefs: 00971C10

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bfd9de20ba7bc98ee6437b140fddb47257ca6e80e7e964c372e866ee82e9b2ce
Instruction ID: 9038dc72c3f6d9b0aae974f4813918bbbbbc7faee4a16e3a3cddf28bdbe1c6f6
Opcode Fuzzy Hash: bfd9de20ba7bc98ee6437b140fddb47257ca6e80e7e964c372e866ee82e9b2ce
Instruction Fuzzy Hash: EC01AC7678110867CB05E7D4C952BFF77AC9F51340F284016A98A672C1EA249E08D7B1

Function 00971C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00971CC8

Strings

ComboBox, xrefs: 00971C69
ListBox, xrefs: 00971C94

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 384e3b77f1a32eca173214ae3a54e271f92d11eda73243e1381c6155c320141f
Instruction ID: a8de82b1b8973b2e09f5b7c7cd9221ff5ae4b70e9ff8b525c789cdf0d872625d
Opcode Fuzzy Hash: 384e3b77f1a32eca173214ae3a54e271f92d11eda73243e1381c6155c320141f
Instruction Fuzzy Hash: 4001DB7278011867CB05EBD4CB12BFE73ACAB52340F188016BCCA77281EA249F08D6B1

Function 00971D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00971DD3

Strings

ComboBox, xrefs: 00971D75
ListBox, xrefs: 00971DA0

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 020354d158a7b850aae3457ed2cc98754ba70c4aa6b8a06ccc4ea9d5f3960948
Instruction ID: e9bd60dac7667eef45348deabaa210d5f60cb2e16127e1847cf01d6fb538771a
Opcode Fuzzy Hash: 020354d158a7b850aae3457ed2cc98754ba70c4aa6b8a06ccc4ea9d5f3960948
Instruction Fuzzy Hash: 2AF0C872B5121867DB14F7A8CD63FFF777CAF82350F044916B8AB672C1DA645A0886A0

Function 0099747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00997493
_wcslen.LIBCMT ref: 009974B9

Strings

3, 3, 16, 1, xrefs: 00997483

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f617ef0974b9d9e0dcf31bd076da00c77e552322d7b60e41453199061e008ffe
Instruction ID: a892dff809b32e341698267e9fb85c6a598af95205336c425e3cccc7cba4f07b
Opcode Fuzzy Hash: f617ef0974b9d9e0dcf31bd076da00c77e552322d7b60e41453199061e008ffe
Instruction Fuzzy Hash: 49E02B0222422010973112BEACC1B7FD78ECFC9BA0B14182BF985C227BEE949D9193A1

Function 00970B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00970B23

Strings

AutoIt, xrefs: 00970B17
Error allocating memory., xrefs: 00970B1C

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 37b432584a0eb3e5c1a753a47d0547835c2d3b1dda6728613234293d4d57114e
Instruction ID: 2d192c56f9f7b4076f084f279dfda8e7c3ec74927b7f7e60bb1485a99b6ace8a
Opcode Fuzzy Hash: 37b432584a0eb3e5c1a753a47d0547835c2d3b1dda6728613234293d4d57114e
Instruction Fuzzy Hash: 08E0D83228431826D22437547C03F897B948F86B24F104427F788595C38FE1649046E9

Function 00930D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0092F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00930D71,?,?,?,0091100A), ref: 0092F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0091100A), ref: 00930D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0091100A), ref: 00930D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00930D7F

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: fc67871011edf38bb45ba5da54364e043e0199f166b96e3ce948171e96810c37
Instruction ID: aaecd429a5fba5df9107e10689256bdc07e92699134114f045377154e4b7ab1f
Opcode Fuzzy Hash: fc67871011edf38bb45ba5da54364e043e0199f166b96e3ce948171e96810c37
Instruction Fuzzy Hash: BCE092B02003518BD7309FBCE4243467BE4AF45744F00492DE8A2CA695DBB1E884DFD1

Function 00983017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0098302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00983044

Strings

aut, xrefs: 00983038

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e51f9c052e7e682f08ab7a6402efcd9b5d4a85147b309d34c80b51300f59ab09
Instruction ID: 35760ccceb3e36b18b07cae0ea591aab88eea8db70edf93e58eff58abf6f0aef
Opcode Fuzzy Hash: e51f9c052e7e682f08ab7a6402efcd9b5d4a85147b309d34c80b51300f59ab09
Instruction Fuzzy Hash: 90D05BB154031477DA2097949D0DFC73B6CDB05750F4001527A65D6095DAB0D544CAD0

Function 0096D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0096D220

Strings

%.3d, xrefs: 0096D22B
X64, xrefs: 0096D2A8

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6df026113c53e0952a86686d257afdb3d9b1f517d6c9546466f3c3460bcb1618
Instruction ID: c6f4ca81ce94791e70abb4f750b009c57883e48972ff02610bda90a08f1256ba
Opcode Fuzzy Hash: 6df026113c53e0952a86686d257afdb3d9b1f517d6c9546466f3c3460bcb1618
Instruction Fuzzy Hash: 04D012A1D4A118E9CB9096D0EC559B9B37CAF48301F508863F836A1044E72CD508A761

Function 009A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009A233F

Part of subcall function 0097E97B: Sleep.KERNEL32 ref: 0097E9F3

Strings

Shell_TrayWnd, xrefs: 009A2325

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 829ea414d765921ed449f1117947d72259392c9c7a4a6dce14e4eaa535808a2b
Instruction ID: 3348573a024e1f8fe924edf04da32ae163f3c2fbd20fc17989f7a6308bc1a60d
Opcode Fuzzy Hash: 829ea414d765921ed449f1117947d72259392c9c7a4a6dce14e4eaa535808a2b
Instruction Fuzzy Hash: 05D0C9767A8310B6E664A7709C0FFC67A149F95B14F0089167759AA1D0C9A0A8019A94

Function 009A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009A236C
PostMessageW.USER32(00000000), ref: 009A2373

Part of subcall function 0097E97B: Sleep.KERNEL32 ref: 0097E9F3

Strings

Shell_TrayWnd, xrefs: 009A2365

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2537233e669e00af4af53962fa00793fbe9aae8dfc7053cffebc0bc1b2ed837a
Instruction ID: 58fc293c0e6c008c8348420756a4fff1f03685ec7fe129d8061ae8d1d0bcbf8b
Opcode Fuzzy Hash: 2537233e669e00af4af53962fa00793fbe9aae8dfc7053cffebc0bc1b2ed837a
Instruction Fuzzy Hash: 71D0C9727D93107AE664A7709C0FFC676149B96B14F0089167755AA1D0C9A0A8019A98

Function 0094BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0094BE93
GetLastError.KERNEL32 ref: 0094BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0094BEFC

Memory Dump Source

Source File: 00000000.00000002.2176790313.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2176628154.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177331568.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177405065.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2177430181.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52f207c61d6a3dc5c052c2fb092b961a50d38172f2700c9817f6fa7c4746f135
Instruction ID: 8cc064cf9561afe5c0896ce057f6ecb200aacee755211e5d3567ea291e47b16a
Opcode Fuzzy Hash: 52f207c61d6a3dc5c052c2fb092b961a50d38172f2700c9817f6fa7c4746f135
Instruction Fuzzy Hash: 8F41C334604206AFCF259F65CC54FAA7BA9AF82310F1441A9F95D9B1A1DB30CD05DB90

Analysis Process: firefox.exePID: 7148, Parent PID: 2608COMMON

Executed Functions

Function 000002D2DC00582E Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.2310526882.000002D2DC001000.00000020.00000800.00020000.00000000.sdmp, Offset: 000002D2DC001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_2d2dc001000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf722b3e61ff57d2f23a2cb85dda78443c36424fd2d7ca45e661f46742cd81c
Instruction ID: e5b7070209822a8fe5d201c3f2af191d709cf6624329010f56310ce563fa2944
Opcode Fuzzy Hash: 1bf722b3e61ff57d2f23a2cb85dda78443c36424fd2d7ca45e661f46742cd81c
Instruction Fuzzy Hash: 41E1403161490D9FDF98DB58C898BA8B7B2FF6C321F2501AAD40DE3291DB71AD91CB50

Function 000002D2DC006B99 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.2310526882.000002D2DC001000.00000020.00000800.00020000.00000000.sdmp, Offset: 000002D2DC001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_2d2dc001000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7bae8d0bf99ac715895ce196ccd3e1f0df62110276d6a20295b33bfc4780c6
Instruction ID: a27d73ae27e1a0464614a0fb78db6ffb9bf173b1151289752b582ecb7db95a4f
Opcode Fuzzy Hash: 9d7bae8d0bf99ac715895ce196ccd3e1f0df62110276d6a20295b33bfc4780c6
Instruction Fuzzy Hash: C9A16F30A14A1D9FDB98DB98C8DDBA8B3B1FB2C311F15019AD50DE72A2C775AD81CB50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2262911048.0000018C16E8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269549918.0000018C159DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2345767383.0000018C159DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269549918.0000018C159DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2264151254.0000018C15686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2324754557.0000018C1581D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326237644.0000018C153D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316543023.0000018C0F5B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326237644.0000018C153D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264151254.0000018C15686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316543023.0000018C0F5B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2319417534.0000018C0F507000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262911048.0000018C16E8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2345767383.0000018C159EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263279934.0000018C159EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269549918.0000018C159EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2342135449.0000018C15662000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264151254.0000018C1565E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2342135449.0000018C15662000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264151254.0000018C1565E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2324754557.0000018C1581D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326237644.0000018C153D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264151254.0000018C15686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2326237644.0000018C153D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264151254.0000018C15686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316543023.0000018C0F5B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3379278089.000002D77F703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3379278089.000002D77F703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2376789487.0000018C100C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2194519750.0000018C100C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3379278089.000002D77F703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2345767383.0000018C159C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302182141.0000018C159C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263279934.0000018C159C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2319417534.0000018C0F507000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262911048.0000018C16E8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2348804837.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2345767383.0000018C159EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263279934.0000018C159EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269549918.0000018C159EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2348804837.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2266297570.0000018C0FAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353593170.0000018C0FAD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2263629922.0000018C1586F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355999675.0000018C0DCE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.5:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49884 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_171a69cd-80c3-4780-8369-c55dff4c9a4f.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_171a69cd-80c3-4780-8369-c55dff4c9a4f.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre