Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546615
MD5:	48e5c172e53eb45e40fe1cef7643aa58
SHA1:	422b6caca89f7500ce91992cb5b0254724d19a19
SHA256:	ac8830011bbe6573de6ac2e7869991d41d7d9444baaf88a49c836fd329d5e363
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 48E5C172E53EB45E40FE1CEF7643AA58)

taskkill.exe (PID: 5784 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7116 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4668 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2748 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1776 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6508 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4760 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5776 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6668 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2092 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be90e5a9-a714-4e9a-b2d9-bae27ca43090} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef03870b10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1628 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 4204 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f404cf57-a3ef-442a-af98-a8d562502a5d} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1612bf10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7568 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5116 -prefMapHandle 5084 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cb7b9e-1b2a-4f54-99f3-e3c24b5654c3} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1b599d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2088236013.000000000142F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 3992	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T08:50:22.432505+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	49742	TCP
2024-11-01T08:51:02.133062+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	51535	TCP

Code function: 0_2_0027EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0027EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0027ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0027EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0026AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00299576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00299576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0b009d45-c
Source: file.exe, 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_faffb87f-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7652b83a-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b74ccd04-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000021C8BFD2377 NtQuerySystemInformation,		17_2_0000021C8BFD2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000021C8BFF3632 NtQuerySystemInformation,		17_2_0000021C8BFF3632

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0026D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00261201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00261201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0026E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020BF40	0_2_0020BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00208060	0_2_00208060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00272046	0_2_00272046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00268298	0_2_00268298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023E4FF	0_2_0023E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023676B	0_2_0023676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00294873	0_2_00294873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022CAA0	0_2_0022CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020CAF0	0_2_0020CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021CC39	0_2_0021CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00236DD9	0_2_00236DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021B119	0_2_0021B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002091C0	0_2_002091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221394	0_2_00221394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221706	0_2_00221706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022781B	0_2_0022781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00207920	0_2_00207920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021997D	0_2_0021997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002219B0	0_2_002219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00227A4A	0_2_00227A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221C77	0_2_00221C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00227CA7	0_2_00227CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0028BE44	0_2_0028BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00239EEE	0_2_00239EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00221F32	0_2_00221F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000021C8BFD2377	17_2_0000021C8BFD2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000021C8BFF3632	17_2_0000021C8BFF3632
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000021C8BFF3672	17_2_0000021C8BFF3672
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000021C8BFF3D5C	17_2_0000021C8BFF3D5C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00209CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0021F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00220A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@66/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002737B5 GetLastError,FormatMessageW,

0_2_002737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002610BF AdjustTokenPrivileges,CloseHandle,		0_2_002610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0026D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0027648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2171352680.000001EF1FBD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2168364905.000001EF2076A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2247457109.000001EF1F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2092 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be90e5a9-a714-4e9a-b2d9-bae27ca43090} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef03870b10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 4204 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f404cf57-a3ef-442a-af98-a8d562502a5d} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1612bf10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5116 -prefMapHandle 5084 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cb7b9e-1b2a-4f54-99f3-e3c24b5654c3} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1b599d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2092 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be90e5a9-a714-4e9a-b2d9-bae27ca43090} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef03870b10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 4204 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f404cf57-a3ef-442a-af98-a8d562502a5d} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1612bf10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5116 -prefMapHandle 5084 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cb7b9e-1b2a-4f54-99f3-e3c24b5654c3} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1b599d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2132618059.000001EF1FC51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2158715535.000001EF138B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2158715535.000001EF138B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2158133358.000001EF138AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2132618059.000001EF1FC51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2158133358.000001EF138AB000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00220A76 push ecx; ret

0_2_00220A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0021F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00291C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00291C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95964

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000021C8BFD2377 rdtsc

17_2_0000021C8BFD2377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0026DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023C2A2 FindFirstFileExW,	0_2_0023C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002768EE FindFirstFileW,FindClose,	0_2_002768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0027698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0026D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00279642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00279642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0027979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00279B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00279B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00275C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00275C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: firefox.exe, 00000010.00000002.3285236161.000001BC93F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: firefox.exe, 00000010.00000002.3290310279.000001BC94740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/<
Source: firefox.exe, 00000010.00000002.3285236161.000001BC93F7A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3284370728.0000021C8BEFA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3289319675.0000021C8C780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3289587748.000001BC94322000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3284191854.0000022558F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`b@Y%
Source: firefox.exe, 00000011.00000002.3289319675.0000021C8C780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: firefox.exe, 00000012.00000002.3289184177.0000022559406000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpv1
Source: firefox.exe, 00000010.00000002.3290310279.000001BC94740000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3289319675.0000021C8C780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000021C8BFD2377 rdtsc

17_2_0000021C8BFD2377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027EAA2 BlockInput,

0_2_0027EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00232622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00224CE8 mov eax, dword ptr fs:[00000030h]

0_2_00224CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00260B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00260B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00232622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00232622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0022083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0022083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002209D5 SetUnhandledExceptionFilter,	0_2_002209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00220C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00220C21

Source: C:\Users\user\Desktop\file.exe

0_2_00261201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00242BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00242BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026B226 SendInput,keybd_event,

0_2_0026B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00260B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00261663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00261663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00220698 cpuid

0_2_00220698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00278195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00278195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0025D27A GetUserNameW,

0_2_0025D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0023B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0023B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2088236013.000000000142F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3992, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2088236013.000000000142F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3992, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00281204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00281204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00281806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00281806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://profiler.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.193	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.193.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	216.58.206.46	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.78	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3286498677.00000225593C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2239224300.000001EF15168000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2096725218.000001EF1B71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089310631.000001EF1B72E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189426865.000001EF1B72C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3286923006.000001BC942C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C2E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3289433093.0000022559506000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/user/	firefox.exe, 00000012.00000002.3286498677.00000225593F4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3286923006.000001BC94272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C286000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3286498677.000002255938E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2206913685.000001EF1BC42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2103217826.000001EF1BC41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2235764101.000001EF142E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.o	firefox.exe, 0000000E.00000003.2193440140.000001EF1FAB6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2237279534.000001EF1429F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242008387.000001EF10A65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2242008387.000001EF10A79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2238723054.000001EF163A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236944156.000001EF163A4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2071122929.000001EF11F53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2071356082.000001EF11F8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2071240481.000001EF11F6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2071001922.000001EF11F38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070862970.000001EF11F1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070726212.000001EF13900000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2238423613.000001EF1BC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF144A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF144FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223338662.000001EF1BC36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF1444E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2222401650.000001EF1F454000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2208189837.000001EF1B827000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2206913685.000001EF1BC64000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2242008387.000001EF10A79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2211411745.000001EF166DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2071122929.000001EF11F53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2071240481.000001EF11F6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2071001922.000001EF11F38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070862970.000001EF11F1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2070726212.000001EF13900000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2223135811.000001EF1DCAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210282431.000001EF171A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241482881.000001EF13645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214058477.000001EF160D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229307804.000001EF171A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2228631836.000001EF1BC64000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2206913685.000001EF1BC42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2103217826.000001EF1BC41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2205870963.000001EF1EE3F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2243391712.000001EF10AD9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2208189837.000001EF1B827000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2224203687.000001EF1BB5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3286498677.000002255930C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2119188923.000001EF1BFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115906000.000001EF1BFB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2235764101.000001EF142E3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3286498677.00000225593C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2241031208.000001EF1398C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2119188923.000001EF1BFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115906000.000001EF1BFB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2224823460.000001EF15344000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2243962998.000001EF1F1E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243962998.000001EF1F1B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2230781249.000001EF151D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF144FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2204806640.000001EF1F4D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3286923006.000001BC942C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C2E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3289433093.0000022559506000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3286923006.000001BC942C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C2E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3289433093.0000022559506000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2208189837.000001EF1B841000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2237279534.000001EF1429F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C212000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3286498677.0000022559313000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2235764101.000001EF142E3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3285965616.00000225591E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2233657157.000001EF147DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2243391712.000001EF10AC2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2119188923.000001EF1BFAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2078802334.000001EF13ED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2078802334.000001EF13E7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2190585544.000001EF1342E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2174179946.000001EF152BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2071951963.000001EF13B61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216013733.000001EF1546B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212205697.000001EF16665000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080170641.000001EF13EDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240715977.000001EF13D9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241308550.000001EF136E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2110481443.000001EF15463000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2096725218.000001EF1B70E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186115033.000001EF13EB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189773450.000001EF1B70A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2240497153.000001EF13F43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2214621518.000001EF15EA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205486115.000001EF1F14E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2226140689.000001EF1543E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2080170641.000001EF13EC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2212171311.000001EF1667A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220148357.000001EF1533E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2211411745.000001EF166DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.2102201361.000001EF1BC72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2206913685.000001EF1BC72000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2211411745.000001EF166DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2208615495.000001EF1B6B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245739684.000001EF1B6B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2233657157.000001EF147DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2096725218.000001EF1B71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2189426865.000001EF1B72C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2208189837.000001EF1B827000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2206913685.000001EF1BC88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2228631836.000001EF1BC88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2102201361.000001EF1BC88000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2208189837.000001EF1B827000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2102201361.000001EF1BC47000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2243391712.000001EF10AC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181583492.000001EF10D65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2119188923.000001EF1BFAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2214890438.000001EF156F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2240497153.000001EF13FCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209548178.000001EF1B5AC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2119188923.000001EF1BFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2119463663.000001EF1BFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2115906000.000001EF1BFB2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2243391712.000001EF10AC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2181583492.000001EF10D65000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2245294050.000001EF1B8A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3286205885.000001BC94100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3285106661.0000021C8BF50000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3285777280.0000022559150000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2235764101.000001EF142E3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2246945799.000001EF1F62C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2171352680.000001EF1FBE2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
216.58.206.46	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546615
Start date and time:	2024-11-01 08:49:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@66/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 41 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.160.212.113, 54.185.230.140, 52.11.191.138, 142.250.186.170, 142.250.184.206, 2.22.61.56, 2.22.61.59, 142.250.186.78
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
03:50:11	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://delview.com/MobileDefault.aspx?reff=https%3A%2F%2Fstrasburgva.jimdosite.com	Get hash	malicious	Unknown	Browse	151.101.2.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://my-homepagero.sa.com/exml/	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
ATGS-MMD-ASUS	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	34.36.216.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	34.36.216.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfcef79d-8e8f-4559-9d6f-49315862743e.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176585141665132
Encrypted:	false
SSDEEP:	192:NLKMi1BCcbhbVbTbfbRbObtbyEl7nArcJA6wnSrDtTkd/Sb:pPHcNhnzFSJgrvjnSrDhkd/u
MD5:	C84F1774AE6654873635584113A2B5A6
SHA1:	F133BB57A9262AFFC1DF57D0EB318085ADA09170
SHA-256:	3559C2BDBD6CD3B382C9A8CFD1599F3FA7CCF91B3F8CF8EEFCCA642692597897
SHA-512:	BEE645A3EE28E07473F0E9FECF0DFDC17FA79326534983A002EB1E3A06B2F39D157F0E27EF9746ED50E2A0ABDB7655AE84049AA295E9B443ADD9BABCCFD6347E
Malicious:	false
Preview:	{"type":"uninstall","id":"dfcef79d-8e8f-4559-9d6f-49315862743e","creationDate":"2024-11-01T09:10:36.161Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfcef79d-8e8f-4559-9d6f-49315862743e.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176585141665132
Encrypted:	false
SSDEEP:	192:NLKMi1BCcbhbVbTbfbRbObtbyEl7nArcJA6wnSrDtTkd/Sb:pPHcNhnzFSJgrvjnSrDhkd/u
MD5:	C84F1774AE6654873635584113A2B5A6
SHA1:	F133BB57A9262AFFC1DF57D0EB318085ADA09170
SHA-256:	3559C2BDBD6CD3B382C9A8CFD1599F3FA7CCF91B3F8CF8EEFCCA642692597897
SHA-512:	BEE645A3EE28E07473F0E9FECF0DFDC17FA79326534983A002EB1E3A06B2F39D157F0E27EF9746ED50E2A0ABDB7655AE84049AA295E9B443ADD9BABCCFD6347E
Malicious:	false
Preview:	{"type":"uninstall","id":"dfcef79d-8e8f-4559-9d6f-49315862743e","creationDate":"2024-11-01T09:10:36.161Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9240771851674765
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNW29dhxE:8S+OVPUFRbOdwNIOdYpjvY1Q6L0Lh8P
MD5:	81DDC79E03BC8C0DE2942644800C542C
SHA1:	657C7D9BE40E2C4EBF61CC9D683642A8756AEFD5
SHA-256:	C0BAB4706A6F771FF8A2A382404693283408F0FD199BC9FD17F8EADD7772E268
SHA-512:	E5D862AF75386675EF4A88E9F7F055DC1694BA7B23B99DDF7AF55E5ED3D55DAD49E4E6E745CFFFF9FF13AA36D54C58C161A3449BB99286905A770544827C2A09
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9240771851674765
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNW29dhxE:8S+OVPUFRbOdwNIOdYpjvY1Q6L0Lh8P
MD5:	81DDC79E03BC8C0DE2942644800C542C
SHA1:	657C7D9BE40E2C4EBF61CC9D683642A8756AEFD5
SHA-256:	C0BAB4706A6F771FF8A2A382404693283408F0FD199BC9FD17F8EADD7772E268
SHA-512:	E5D862AF75386675EF4A88E9F7F055DC1694BA7B23B99DDF7AF55E5ED3D55DAD49E4E6E745CFFFF9FF13AA36D54C58C161A3449BB99286905A770544827C2A09
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07328876685278998
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki7:DLhesh7Owd4+ji7
MD5:	96521D06870B2E91B8C04808A10B5504
SHA1:	9CA91687BF746D7295580D2DB48F33D4E43E08AA
SHA-256:	B6D356E10928F8E4B531162C50F18F0831F51A5A42B64C032D201BDDC43A0E9F
SHA-512:	27DB37A26A2987CAF83A0EA87AA1426B84374DC392D8EE89F6BA54EBA76BC815332C022F553699E8A0452FD4E1B27472E4DFFDE4378EF54C4ABF527798F2CA05
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035409731588080785
Encrypted:	false
SSDEEP:	3:GtlstFrlGTVBJlIPlstFrlGTVBJ/llL89//alEl:GtWt6TrJlYWt6TrJ/lx89XuM
MD5:	D819AAB8F24240F9FA86C89A0F1DCE5B
SHA1:	EDC26AD5E0004324CEB621FC83AEBD1A318A8435
SHA-256:	F59567473E1409F19AF6AA420DC2B44EFF7C57D42C84413BC7DC720632E52273
SHA-512:	F05F4C2025871A529CAFA7037B07A0DB7CD0A9ECCA6387CB9A3DB74DCACB4633F6313A9D326F78BAEA1E699A381ABEC7DFEDD5B1193A01374CBF469D30AD7F1B
Malicious:	false
Preview:	..-.......................6.0.........H...d,..-.......................6.0.........H...d,........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03950492520760278
Encrypted:	false
SSDEEP:	3:Ol1o24i2h8ulfhJd5VKj/rl8rEXsxdwhml8XW3R2:Ka2v2h8qTLKnl8dMhm93w
MD5:	4FBFB026492E2E90B46CDE532B3DA3E1
SHA1:	C4AE3CA4AC81C81B6C2844D815713E72DB959F57
SHA-256:	6DA91E9E512C446EFF3F7A9F7AFE445DD29E750E69DF566245CB9DD857F3550E
SHA-512:	2E5A5BB2A1837BB13010E9A5F4EA1234E44F5FA725178C5670B32EE65640E5AF86ACBFDEF46A2DFC17A648A82A10F0B3A6A28D3ABAB8AD2013B6D12489728CC7
Malicious:	false
Preview:	7....-.................t.........................0.6................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477269501561389
Encrypted:	false
SSDEEP:	192:tnPOeRnLYbBp6kJ0aX+56SEXKVWGN6lj05RHWNBw8dASl:JDeZJUgEWC66HEwb0
MD5:	F9F087D62FF68C0ACA1E7248DDDD3817
SHA1:	F32D8BE917348AE204B80B1930CD0E435CC2D1FE
SHA-256:	E1773A5C87A403B1C87D3ED183194BA7CCE543E799EB55723EDEB697F9AEC5BB
SHA-512:	2FD1FC3A5BDDED95D8C0B4F63A98ADCD9A2B514005892410322CA97F2B216A32CE40860899CF7175CDB57C445B4C33B8B5165BCD2A232B39FABDD8802DAE5C38
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730452205);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730452205);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730452205);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173045

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477269501561389
Encrypted:	false
SSDEEP:	192:tnPOeRnLYbBp6kJ0aX+56SEXKVWGN6lj05RHWNBw8dASl:JDeZJUgEWC66HEwb0
MD5:	F9F087D62FF68C0ACA1E7248DDDD3817
SHA1:	F32D8BE917348AE204B80B1930CD0E435CC2D1FE
SHA-256:	E1773A5C87A403B1C87D3ED183194BA7CCE543E799EB55723EDEB697F9AEC5BB
SHA-512:	2FD1FC3A5BDDED95D8C0B4F63A98ADCD9A2B514005892410322CA97F2B216A32CE40860899CF7175CDB57C445B4C33B8B5165BCD2A232B39FABDD8802DAE5C38
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730452205);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730452205);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730452205);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173045

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.333254849349871
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSQuHLXnIrib/pnxQwRcWT5sKmgb0V3eHVpjO+EamhujJwO2c0TiVm8:GUpOx/GxnRcoegQ3erjxE4Jwc3zBtT
MD5:	21B698B85C2CA9C3655CDCD6FD2AA1D1
SHA1:	3F97F5FDEFBA97D41F3B5A342168E18D887681F5
SHA-256:	EA1CE64F1F3E7749B8A676BEA9708774886A15BD4FD37503799EFFBCEC832F7C
SHA-512:	155913D18808474B2C806999F7BDD514F23F93E6622CFE118D011D02D6D2AB28A22D5209E4E55F738C9C166741CFC137FBDC4DBF7B7A309A5D3816C824B9CB78
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{e8edecef-38a4-410e-9cbf-dde71a4f30ce}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730452209316,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..`175386...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....179693,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.333254849349871
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSQuHLXnIrib/pnxQwRcWT5sKmgb0V3eHVpjO+EamhujJwO2c0TiVm8:GUpOx/GxnRcoegQ3erjxE4Jwc3zBtT
MD5:	21B698B85C2CA9C3655CDCD6FD2AA1D1
SHA1:	3F97F5FDEFBA97D41F3B5A342168E18D887681F5
SHA-256:	EA1CE64F1F3E7749B8A676BEA9708774886A15BD4FD37503799EFFBCEC832F7C
SHA-512:	155913D18808474B2C806999F7BDD514F23F93E6622CFE118D011D02D6D2AB28A22D5209E4E55F738C9C166741CFC137FBDC4DBF7B7A309A5D3816C824B9CB78
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{e8edecef-38a4-410e-9cbf-dde71a4f30ce}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730452209316,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..`175386...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....179693,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.333254849349871
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSQuHLXnIrib/pnxQwRcWT5sKmgb0V3eHVpjO+EamhujJwO2c0TiVm8:GUpOx/GxnRcoegQ3erjxE4Jwc3zBtT
MD5:	21B698B85C2CA9C3655CDCD6FD2AA1D1
SHA1:	3F97F5FDEFBA97D41F3B5A342168E18D887681F5
SHA-256:	EA1CE64F1F3E7749B8A676BEA9708774886A15BD4FD37503799EFFBCEC832F7C
SHA-512:	155913D18808474B2C806999F7BDD514F23F93E6622CFE118D011D02D6D2AB28A22D5209E4E55F738C9C166741CFC137FBDC4DBF7B7A309A5D3816C824B9CB78
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{e8edecef-38a4-410e-9cbf-dde71a4f30ce}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1730452209316,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..`175386...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..eexpiry....179693,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029671677483515
Encrypted:	false
SSDEEP:	96:ycKnMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:0MTEr5NX0z3DhRe
MD5:	31BEB2F93997C69E428D7D5CB32E4360
SHA1:	7A86A1BEA6CBC6920296134DEBBB685C27C3FE20
SHA-256:	34CB05372FCBB5C92B0EEC430BD631193BF83D0D0957B7D898ED1FF84DECE812
SHA-512:	1DE0A275F7DAF4CD3EBF4DE04D156F76E426A3DF4523A7572EBD1D6CC8CBC6C328C0D7057C14438AC53616B69EEBAC33AC1321B72A6139D53A48F43A984D3A95
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T09:09:45.285Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029671677483515
Encrypted:	false
SSDEEP:	96:ycKnMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:0MTEr5NX0z3DhRe
MD5:	31BEB2F93997C69E428D7D5CB32E4360
SHA1:	7A86A1BEA6CBC6920296134DEBBB685C27C3FE20
SHA-256:	34CB05372FCBB5C92B0EEC430BD631193BF83D0D0957B7D898ED1FF84DECE812
SHA-512:	1DE0A275F7DAF4CD3EBF4DE04D156F76E426A3DF4523A7572EBD1D6CC8CBC6C328C0D7057C14438AC53616B69EEBAC33AC1321B72A6139D53A48F43A984D3A95
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T09:09:45.285Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584669136061982
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	48e5c172e53eb45e40fe1cef7643aa58
SHA1:	422b6caca89f7500ce91992cb5b0254724d19a19
SHA256:	ac8830011bbe6573de6ac2e7869991d41d7d9444baaf88a49c836fd329d5e363
SHA512:	279139ef6689acb689358b4404098fa0f6ca6fc05bb6fb2566ae3f9c34b672cf9cd79995af020247fbf44d7f73d85a31ea9751e9fd35a0902ee07fb9a8590341
SSDEEP:	12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TL:FqDEvCTbMWu7rQYlBQcBiT6rprG8abL
TLSH:	D0159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67248707 [Fri Nov 1 07:45:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9E1CD3B213h
jmp 00007F9E1CD3AB1Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9E1CD3ACFDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9E1CD3ACCAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9E1CD3D8BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9E1CD3D908h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9E1CD3D8F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	4232c41e209da6eaad7f617419c4d568	False	0.31561511075949367	data	5.373699291796782	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T08:50:22.432505+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.5	49742	TCP
2024-11-01T08:51:02.133062+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.5	51535	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 08:50:09.401885033 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:09.401952028 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:09.402151108 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:09.407131910 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:09.407145023 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:09.989584923 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:09.989614964 CET	443	49711	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:09.989828110 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:09.991409063 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:09.991424084 CET	443	49711	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:10.041435957 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:10.041537046 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:10.048990965 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:10.049006939 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:10.049134016 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:10.049277067 CET	443	49710	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:10.049359083 CET	49710	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:10.124983072 CET	49712	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:10.125030041 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:10.133507967 CET	49712	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:10.136722088 CET	49712	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:10.136765957 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:10.137787104 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:10.142669916 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:10.152924061 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:10.155452013 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:10.160495996 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:10.424684048 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:10.424743891 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:10.427835941 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:10.429249048 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:10.429265976 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:10.437387943 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:10.437489986 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:10.438163042 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:10.439743042 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:10.439778090 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:10.756659031 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:10.765882969 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:10.765899897 CET	443	49717	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:10.766613007 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:10.766746044 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:10.766760111 CET	443	49717	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:10.808008909 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:10.849725008 CET	443	49711	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:10.849800110 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:10.850714922 CET	443	49711	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:10.850800991 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:10.853955030 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:10.853965044 CET	443	49711	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:10.854058027 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:10.854127884 CET	443	49711	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:10.854350090 CET	49711	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.024269104 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.024311066 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.025435925 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.039897919 CET	49712	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.039957047 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.049010992 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.055660963 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.058919907 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.060606956 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.060622931 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.060729027 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.060841084 CET	443	49714	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.061095953 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.061109066 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.063349962 CET	49712	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.063389063 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.063431978 CET	49712	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.063751936 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.063757896 CET	443	49719	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.063968897 CET	443	49712	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.067339897 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.071136951 CET	49714	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.071188927 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.071188927 CET	49712	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.071223021 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.071223021 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.074450970 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.074461937 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.075731039 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.075741053 CET	443	49719	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.078241110 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.078255892 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.078350067 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.078694105 CET	49720	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.078741074 CET	443	49720	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.078833103 CET	443	49715	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.086886883 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.086925983 CET	49715	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.086970091 CET	49720	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.088464022 CET	49720	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.088479996 CET	443	49720	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.384871006 CET	443	49717	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:11.385297060 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.390100956 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:11.391343117 CET	443	49717	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:11.391758919 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:11.391774893 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.391906023 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:11.397660017 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:11.397665977 CET	443	49717	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:11.397779942 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.398286104 CET	443	49717	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:11.400007963 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:11.400058031 CET	443	49722	34.160.144.191	192.168.2.5
Nov 1, 2024 08:50:11.402630091 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:11.403000116 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:11.403068066 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:11.403166056 CET	443	49717	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:11.404632092 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:11.404664993 CET	49717	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:11.404686928 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:11.404812098 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:11.404822111 CET	443	49722	34.160.144.191	192.168.2.5
Nov 1, 2024 08:50:11.612984896 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.618220091 CET	80	49713	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:11.618736029 CET	49713	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.684078932 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.684098959 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.684151888 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.688705921 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.688710928 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.688781023 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.688981056 CET	443	49718	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.689034939 CET	49718	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.697685003 CET	443	49720	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.697698116 CET	443	49720	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.697787046 CET	49720	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.703279972 CET	49720	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.703286886 CET	443	49720	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.703334093 CET	49720	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.703454971 CET	443	49720	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.707308054 CET	49720	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.754693985 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.759737968 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:11.770432949 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.770549059 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.775463104 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:11.795008898 CET	49724	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.795047045 CET	443	49724	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.803734064 CET	49724	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.805354118 CET	49724	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:11.805370092 CET	443	49724	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:11.920464039 CET	443	49719	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.920478106 CET	443	49719	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.920531988 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.921168089 CET	443	49719	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.921390057 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.924714088 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.924719095 CET	443	49719	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.924797058 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.924870968 CET	443	49719	216.58.206.46	192.168.2.5
Nov 1, 2024 08:50:11.924947023 CET	49719	443	192.168.2.5	216.58.206.46
Nov 1, 2024 08:50:11.978847980 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:11.981734991 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:11.986896038 CET	80	49721	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:11.986954927 CET	49721	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:12.032629967 CET	443	49722	34.160.144.191	192.168.2.5
Nov 1, 2024 08:50:12.033246994 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:12.036386013 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:12.036405087 CET	443	49722	34.160.144.191	192.168.2.5
Nov 1, 2024 08:50:12.036750078 CET	443	49722	34.160.144.191	192.168.2.5
Nov 1, 2024 08:50:12.043916941 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:12.043992996 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:12.044190884 CET	443	49722	34.160.144.191	192.168.2.5
Nov 1, 2024 08:50:12.044248104 CET	49722	443	192.168.2.5	34.160.144.191
Nov 1, 2024 08:50:12.364876986 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:12.418428898 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:12.421046972 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:12.421123028 CET	443	49724	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:12.421158075 CET	443	49724	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:12.423353910 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:12.423986912 CET	49724	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:12.424014091 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:12.425867081 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:12.427577019 CET	49724	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:12.427584887 CET	443	49724	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:12.427644968 CET	49724	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:12.427845001 CET	443	49724	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:12.427944899 CET	49727	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:12.427990913 CET	443	49727	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:12.428252935 CET	49724	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:12.428270102 CET	49727	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:12.429543018 CET	49727	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:12.429562092 CET	443	49727	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:12.430706978 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:12.706212997 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:12.706290007 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:12.706444979 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:12.707884073 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:12.707937002 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:13.012589931 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:13.051779985 CET	443	49727	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:13.051866055 CET	49727	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:13.057066917 CET	49727	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:13.057080984 CET	443	49727	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:13.057171106 CET	49727	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:13.057339907 CET	443	49727	34.117.188.166	192.168.2.5
Nov 1, 2024 08:50:13.057394028 CET	49727	443	192.168.2.5	34.117.188.166
Nov 1, 2024 08:50:13.060519934 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:13.194303036 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:13.199207067 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:13.221887112 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.221935034 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:13.223364115 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.223623991 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.223639011 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:13.230994940 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.231014013 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:13.231431961 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.232928038 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.232944965 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:13.310883045 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:13.315335035 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:13.316307068 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:13.317425013 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:13.319847107 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:13.319866896 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:13.319931984 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:13.320097923 CET	443	49728	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:13.320254087 CET	49728	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:13.361402988 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:13.854926109 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:13.854990005 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.855613947 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:13.857667923 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.857676029 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:13.858056068 CET	443	49730	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:13.859822035 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.859822035 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.859978914 CET	49730	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:13.862731934 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.863723040 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.863744020 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:13.863835096 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.863971949 CET	443	49731	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:13.864238024 CET	49732	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.864306927 CET	49731	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.864343882 CET	443	49732	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:13.864528894 CET	49732	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.865995884 CET	49732	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:13.866046906 CET	443	49732	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:13.907687902 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:13.912545919 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:13.940006971 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:13.944824934 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:13.955220938 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:13.955248117 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:13.955468893 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:13.956974983 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:13.956990957 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:14.044956923 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:14.062854052 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:14.087973118 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:14.092895985 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:14.116472006 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:14.210802078 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:14.263641119 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:14.479490995 CET	443	49732	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:14.479567051 CET	49732	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:14.546679020 CET	49732	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:14.546690941 CET	443	49732	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:14.546760082 CET	49732	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:14.546904087 CET	443	49732	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:14.547077894 CET	49732	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:14.576168060 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:14.580185890 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:14.606761932 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:14.606782913 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:14.606853008 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:14.607259989 CET	443	49733	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:14.608174086 CET	49733	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.439763069 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:16.444827080 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:16.467549086 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.467596054 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:16.469446898 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.470973969 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.470993996 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:16.491718054 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.491764069 CET	443	49736	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:16.495418072 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.495486975 CET	443	49737	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:16.495521069 CET	49738	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:16.495546103 CET	443	49738	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:16.495731115 CET	49738	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:16.495739937 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.495768070 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.495881081 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.495887995 CET	443	49736	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:16.497349024 CET	49738	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:16.497363091 CET	443	49738	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:16.497478962 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:16.497515917 CET	443	49737	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:16.562577009 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:16.565541029 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:16.570389986 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:16.607594967 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:16.688419104 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:16.739099979 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:17.093236923 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.093328953 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.101371050 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.101382971 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.101484060 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.101650000 CET	443	49735	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.102515936 CET	49735	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.103832960 CET	443	49737	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.103959084 CET	443	49736	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.104053020 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:17.104959011 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.104964972 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.109837055 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:17.111303091 CET	443	49738	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:17.111371994 CET	49738	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:17.134546995 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.134576082 CET	443	49737	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.134922028 CET	443	49737	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.136984110 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.137015104 CET	443	49736	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.137346029 CET	443	49736	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.139503956 CET	49739	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.139533997 CET	443	49739	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.140314102 CET	49739	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.142097950 CET	49739	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.142112970 CET	443	49739	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.143888950 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.143984079 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.144117117 CET	443	49737	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.144643068 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.144714117 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.144881964 CET	443	49736	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.144941092 CET	49737	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.145152092 CET	49736	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.146481991 CET	49738	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:17.146506071 CET	443	49738	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:17.146554947 CET	49738	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:17.146773100 CET	443	49738	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:17.153323889 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.153374910 CET	443	49740	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.153626919 CET	49738	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:17.153707027 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.153790951 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.153811932 CET	443	49740	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.156161070 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.156191111 CET	443	49741	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.158250093 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.158346891 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.158365011 CET	443	49741	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.228049994 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:17.231002092 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:17.235876083 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:17.271840096 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:17.361421108 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:17.409905910 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:17.755004883 CET	443	49739	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.755100965 CET	49739	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.759361029 CET	49739	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.759376049 CET	443	49739	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.759475946 CET	49739	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.759614944 CET	443	49739	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.760545015 CET	49739	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.762048006 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:17.766730070 CET	443	49740	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.766813993 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.767245054 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:17.769586086 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.769598961 CET	443	49740	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.769841909 CET	443	49740	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.771703005 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.771775961 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.771850109 CET	443	49740	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.771903992 CET	49740	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.776120901 CET	443	49741	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.776206017 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.778671026 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.778685093 CET	443	49741	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.778937101 CET	443	49741	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.780909061 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.780991077 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.781071901 CET	443	49741	34.120.208.123	192.168.2.5
Nov 1, 2024 08:50:17.781138897 CET	49741	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:50:17.885143995 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:17.887978077 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:17.892853022 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:17.930186987 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:18.011476994 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:18.058525085 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:21.389657974 CET	49744	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:21.389692068 CET	443	49744	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:21.392956972 CET	49744	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:21.394406080 CET	49744	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:21.394421101 CET	443	49744	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:22.000246048 CET	443	49744	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:22.000329018 CET	49744	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:22.731576920 CET	49744	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:22.731597900 CET	443	49744	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:22.731671095 CET	49744	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:22.731868029 CET	443	49744	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:22.731996059 CET	49744	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:23.688848972 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:23.693857908 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:23.811672926 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:23.816129923 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:23.821175098 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:23.861001968 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:23.939676046 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:23.992528915 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:32.937468052 CET	51369	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:32.937495947 CET	443	51369	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:32.937657118 CET	51369	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:32.939066887 CET	51369	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:32.939085960 CET	443	51369	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:33.545393944 CET	443	51369	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:33.545592070 CET	51369	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:33.550946951 CET	51369	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:33.550976038 CET	443	51369	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:33.551039934 CET	51369	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:33.551177979 CET	443	51369	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:33.551999092 CET	51369	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:33.554193974 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:33.558991909 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:33.676731110 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:33.681094885 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:33.686027050 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:33.718594074 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:33.804193974 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:33.850140095 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:37.832755089 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:37.837658882 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:37.958725929 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:37.961909056 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:37.966850042 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:38.008929968 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:38.016501904 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.016539097 CET	443	51399	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.018891096 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.018984079 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.018992901 CET	443	51399	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.040990114 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.041021109 CET	443	51400	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.041184902 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.041320086 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.041330099 CET	443	51400	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.043029070 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.043070078 CET	443	51401	151.101.193.91	192.168.2.5
Nov 1, 2024 08:50:38.043431997 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.043508053 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.043528080 CET	443	51401	151.101.193.91	192.168.2.5
Nov 1, 2024 08:50:38.064703941 CET	51402	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:38.064735889 CET	443	51402	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:38.068921089 CET	51402	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:38.070348024 CET	51402	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:38.070367098 CET	443	51402	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:38.079128027 CET	51403	443	192.168.2.5	35.201.103.21
Nov 1, 2024 08:50:38.079143047 CET	443	51403	35.201.103.21	192.168.2.5
Nov 1, 2024 08:50:38.082264900 CET	51403	443	192.168.2.5	35.201.103.21
Nov 1, 2024 08:50:38.083702087 CET	51403	443	192.168.2.5	35.201.103.21
Nov 1, 2024 08:50:38.083719015 CET	443	51403	35.201.103.21	192.168.2.5
Nov 1, 2024 08:50:38.084505081 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:38.131386995 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:38.647685051 CET	443	51400	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.647764921 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.649403095 CET	443	51401	151.101.193.91	192.168.2.5
Nov 1, 2024 08:50:38.651281118 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.651289940 CET	443	51400	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.651503086 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.651532888 CET	443	51400	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.654289961 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.654301882 CET	443	51401	151.101.193.91	192.168.2.5
Nov 1, 2024 08:50:38.654553890 CET	443	51401	151.101.193.91	192.168.2.5
Nov 1, 2024 08:50:38.657682896 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.657721996 CET	443	51399	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.657773972 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.657823086 CET	443	51400	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.658015966 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.658068895 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.658163071 CET	443	51401	151.101.193.91	192.168.2.5
Nov 1, 2024 08:50:38.658585072 CET	51400	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.658593893 CET	51401	443	192.168.2.5	151.101.193.91
Nov 1, 2024 08:50:38.658605099 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.661725998 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.661734104 CET	443	51399	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.661963940 CET	443	51399	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.664458036 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.664509058 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.664586067 CET	443	51399	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.665879965 CET	51399	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.668039083 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:38.670526028 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.670573950 CET	443	51409	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.670731068 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.670844078 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.670885086 CET	443	51409	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.672951937 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:38.673074961 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.673105955 CET	443	51410	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.673695087 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.673794031 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.673800945 CET	443	51410	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.675185919 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.675206900 CET	443	51411	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.675398111 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.675436974 CET	443	51402	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:38.675520897 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:38.675533056 CET	51402	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:38.675545931 CET	443	51411	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:38.680380106 CET	51402	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:38.680387020 CET	443	51402	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:38.680461884 CET	51402	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:38.680542946 CET	443	51402	35.190.72.216	192.168.2.5
Nov 1, 2024 08:50:38.680644035 CET	51402	443	192.168.2.5	35.190.72.216
Nov 1, 2024 08:50:38.717638969 CET	443	51403	35.201.103.21	192.168.2.5
Nov 1, 2024 08:50:38.717844009 CET	51403	443	192.168.2.5	35.201.103.21
Nov 1, 2024 08:50:38.722791910 CET	51403	443	192.168.2.5	35.201.103.21
Nov 1, 2024 08:50:38.722791910 CET	51403	443	192.168.2.5	35.201.103.21
Nov 1, 2024 08:50:38.722800970 CET	443	51403	35.201.103.21	192.168.2.5
Nov 1, 2024 08:50:38.722948074 CET	443	51403	35.201.103.21	192.168.2.5
Nov 1, 2024 08:50:38.723406076 CET	51403	443	192.168.2.5	35.201.103.21
Nov 1, 2024 08:50:38.734817028 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.734899044 CET	443	51412	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.734976053 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.735058069 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:38.735095978 CET	443	51412	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:38.790818930 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:38.793632984 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:38.798629045 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:38.832963943 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:38.916729927 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:38.964529991 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:39.391259909 CET	443	51410	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.391625881 CET	443	51411	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.391782999 CET	443	51412	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:39.391818047 CET	443	51409	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.391913891 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.391932011 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.391951084 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:39.392761946 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.394434929 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.394438982 CET	443	51410	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.394655943 CET	443	51410	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.396903992 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.396915913 CET	443	51411	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.397192001 CET	443	51411	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.399125099 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.399136066 CET	443	51409	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.399394989 CET	443	51409	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.401848078 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:39.401925087 CET	443	51412	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:39.402154922 CET	443	51412	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:39.406637907 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.406765938 CET	443	51410	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.406831026 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.406836033 CET	443	51410	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.407102108 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.407141924 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.407249928 CET	443	51411	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.407468081 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.407506943 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.407612085 CET	443	51409	35.244.181.201	192.168.2.5
Nov 1, 2024 08:50:39.407876015 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:39.407913923 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:39.408023119 CET	443	51412	34.149.100.209	192.168.2.5
Nov 1, 2024 08:50:39.408826113 CET	51411	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.408826113 CET	51409	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.408849955 CET	51412	443	192.168.2.5	34.149.100.209
Nov 1, 2024 08:50:39.411504030 CET	51410	443	192.168.2.5	35.244.181.201
Nov 1, 2024 08:50:39.413919926 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:39.418858051 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:39.536758900 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:39.541795969 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:39.546647072 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:39.581948996 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:39.664489031 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:39.713496923 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:49.554083109 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:49.558926105 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:49.670099020 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:49.674925089 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:54.313092947 CET	51494	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:54.313134909 CET	443	51494	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:54.313304901 CET	51494	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:54.314713001 CET	51494	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:54.314744949 CET	443	51494	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:55.255974054 CET	443	51494	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:55.256119013 CET	51494	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:55.260963917 CET	51494	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:55.260973930 CET	443	51494	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:55.261060953 CET	51494	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:55.261198044 CET	443	51494	34.107.243.93	192.168.2.5
Nov 1, 2024 08:50:55.261852026 CET	51494	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:50:55.263768911 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:55.268819094 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:55.387373924 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:55.390207052 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:55.395661116 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:55.440350056 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:50:55.512958050 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:50:55.556227922 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:05.400235891 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:05.405112982 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:05.516161919 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:05.521051884 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:08.730287075 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:08.730328083 CET	443	51576	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:08.731098890 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:08.731249094 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:08.731267929 CET	443	51576	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:08.756908894 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:08.756942987 CET	443	51577	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:08.760231018 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:08.760384083 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:08.760401964 CET	443	51577	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.335848093 CET	443	51576	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.335939884 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.339262009 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.339271069 CET	443	51576	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.339513063 CET	443	51576	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.341969013 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.342078924 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.342109919 CET	443	51576	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.345216036 CET	51576	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.345967054 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:09.351274967 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:09.375919104 CET	443	51577	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.376029015 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.379427910 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.379446030 CET	443	51577	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.379709959 CET	443	51577	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.382436037 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.382538080 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.382601023 CET	443	51577	34.120.208.123	192.168.2.5
Nov 1, 2024 08:51:09.383573055 CET	51577	443	192.168.2.5	34.120.208.123
Nov 1, 2024 08:51:09.469036102 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:09.488614082 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:09.493518114 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:09.527821064 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:09.808202982 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:09.850852966 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:19.479043007 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:19.484008074 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:19.811227083 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:19.816083908 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:29.506675005 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:29.511610985 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:29.823292017 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:29.829713106 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:35.337110043 CET	51594	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:51:35.337127924 CET	443	51594	34.107.243.93	192.168.2.5
Nov 1, 2024 08:51:35.337212086 CET	51594	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:51:35.338715076 CET	51594	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:51:35.338730097 CET	443	51594	34.107.243.93	192.168.2.5
Nov 1, 2024 08:51:35.946350098 CET	443	51594	34.107.243.93	192.168.2.5
Nov 1, 2024 08:51:35.946594000 CET	51594	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:51:35.951590061 CET	51594	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:51:35.951606989 CET	443	51594	34.107.243.93	192.168.2.5
Nov 1, 2024 08:51:35.951693058 CET	51594	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:51:35.951809883 CET	443	51594	34.107.243.93	192.168.2.5
Nov 1, 2024 08:51:35.952532053 CET	51594	443	192.168.2.5	34.107.243.93
Nov 1, 2024 08:51:35.954421997 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:35.959338903 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:36.077049971 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:36.080832005 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:36.085812092 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:36.125298023 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:36.203780890 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:36.256910086 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:46.084968090 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:46.089972019 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:46.216290951 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:46.221227884 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:56.097527981 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:56.102610111 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:51:56.228641033 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:51:56.233572960 CET	80	49726	34.107.221.82	192.168.2.5
Nov 1, 2024 08:52:06.109009027 CET	49723	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:52:06.113979101 CET	80	49723	34.107.221.82	192.168.2.5
Nov 1, 2024 08:52:06.240545988 CET	49726	80	192.168.2.5	34.107.221.82
Nov 1, 2024 08:52:06.245592117 CET	80	49726	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 08:50:09.436068058 CET	54563	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:09.443033934 CET	53	54563	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:09.455487967 CET	60349	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:09.462987900 CET	53	60349	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:09.981699944 CET	59872	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:09.988564014 CET	53	59872	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:09.989728928 CET	55162	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:09.997653961 CET	53	55162	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.000823021 CET	62391	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.007610083 CET	53	62391	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.101094007 CET	64890	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.140396118 CET	61854	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.147331953 CET	53	61854	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.160574913 CET	50490	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.168935061 CET	53	50490	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.414892912 CET	58378	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.423136950 CET	53	58378	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.425066948 CET	51334	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.427107096 CET	56927	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.432008982 CET	53	51334	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.432873964 CET	51440	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.433907986 CET	53	56927	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.439409971 CET	53	51440	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.440462112 CET	52978	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.447921038 CET	53	52978	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.458631039 CET	64371	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.465647936 CET	53	64371	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.766494989 CET	59248	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.770919085 CET	64566	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.774477005 CET	53	59248	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.777592897 CET	53	64566	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.777894974 CET	62451	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.784764051 CET	53	62451	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:10.788593054 CET	52478	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:10.795224905 CET	53	52478	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:11.375930071 CET	51089	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:11.384397030 CET	57946	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:11.391261101 CET	53	57946	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:11.400557041 CET	56258	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:11.407725096 CET	53	56258	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:11.408220053 CET	51176	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:11.414922953 CET	53	51176	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:12.357279062 CET	53855	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:12.401658058 CET	53	54540	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:12.664582968 CET	52505	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:12.671464920 CET	53	52505	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:12.674382925 CET	62614	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:12.681430101 CET	53	62614	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:12.695729017 CET	61279	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:12.705228090 CET	53	61279	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:13.222093105 CET	57777	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:13.228843927 CET	53	57777	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:13.231264114 CET	53608	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:13.238620043 CET	53	53608	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:13.239269972 CET	51355	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:13.246280909 CET	53	51355	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:13.955400944 CET	58659	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:13.962348938 CET	53	58659	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:13.963498116 CET	61301	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:13.970293045 CET	53	61301	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:16.427726984 CET	60642	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:16.435633898 CET	53	60642	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:16.437227964 CET	63017	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:16.445050001 CET	53	63017	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:16.463691950 CET	59801	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:16.471072912 CET	53	59801	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.470575094 CET	54321	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.470859051 CET	59679	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.471096039 CET	65127	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.477399111 CET	53	54321	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.477775097 CET	53	59679	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.478270054 CET	64637	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.478507042 CET	63451	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.478511095 CET	53	65127	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.479022026 CET	58342	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.485049963 CET	53	64637	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.485588074 CET	53	63451	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.485635996 CET	51155	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.486049891 CET	54370	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.486975908 CET	53	58342	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.489554882 CET	51731	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.492300987 CET	53	51155	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.492662907 CET	53	54370	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.492835045 CET	54393	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.493299961 CET	63052	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.497112989 CET	53	51731	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.499963045 CET	53	63052	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.500075102 CET	53	54393	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.501621008 CET	53948	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.502098083 CET	53571	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.508724928 CET	53	53948	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.509130955 CET	60071	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.509139061 CET	53	53571	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.509594917 CET	65312	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:18.515958071 CET	53	60071	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:18.516968012 CET	53	65312	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:21.387765884 CET	64450	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:21.395055056 CET	53	64450	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:23.688453913 CET	62700	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:24.385617018 CET	53	49327	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:32.937350035 CET	61555	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:32.944401979 CET	53	61555	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:38.017502069 CET	53075	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:38.024425983 CET	53	53075	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:38.035254955 CET	57944	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:38.042279959 CET	53	57944	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:38.043294907 CET	55832	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:38.049928904 CET	53	55832	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:38.050455093 CET	53164	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:38.058078051 CET	53	53164	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:38.071280956 CET	50748	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:38.078423023 CET	53	50748	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:38.080200911 CET	55035	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:38.087363958 CET	53	55035	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:38.087819099 CET	53721	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:38.094603062 CET	53	53721	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:54.312510967 CET	56982	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:54.319474936 CET	53	56982	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:54.320452929 CET	64614	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:50:54.327229023 CET	53	64614	1.1.1.1	192.168.2.5
Nov 1, 2024 08:50:55.264030933 CET	63087	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:51:08.731044054 CET	64740	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:51:08.737905979 CET	53	64740	1.1.1.1	192.168.2.5
Nov 1, 2024 08:51:35.328638077 CET	53334	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:51:35.335999966 CET	53	53334	1.1.1.1	192.168.2.5
Nov 1, 2024 08:51:35.336677074 CET	58747	53	192.168.2.5	1.1.1.1
Nov 1, 2024 08:51:35.343641996 CET	53	58747	1.1.1.1	192.168.2.5
Nov 1, 2024 08:51:35.954685926 CET	56130	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 08:50:09.436068058 CET	192.168.2.5	1.1.1.1	0x8ff7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:09.455487967 CET	192.168.2.5	1.1.1.1	0xaf96	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:09.981699944 CET	192.168.2.5	1.1.1.1	0x56f6	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:09.989728928 CET	192.168.2.5	1.1.1.1	0x6812	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.000823021 CET	192.168.2.5	1.1.1.1	0x7495	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:10.101094007 CET	192.168.2.5	1.1.1.1	0xbc72	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.140396118 CET	192.168.2.5	1.1.1.1	0xf443	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.160574913 CET	192.168.2.5	1.1.1.1	0x9f6e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:10.414892912 CET	192.168.2.5	1.1.1.1	0x56a1	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.425066948 CET	192.168.2.5	1.1.1.1	0x42c8	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.427107096 CET	192.168.2.5	1.1.1.1	0xc45e	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.432873964 CET	192.168.2.5	1.1.1.1	0x88ad	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:10.440462112 CET	192.168.2.5	1.1.1.1	0x1216	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.458631039 CET	192.168.2.5	1.1.1.1	0x4b3c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:10.766494989 CET	192.168.2.5	1.1.1.1	0x80db	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.770919085 CET	192.168.2.5	1.1.1.1	0x8052	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.777894974 CET	192.168.2.5	1.1.1.1	0xa5a5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:10.788593054 CET	192.168.2.5	1.1.1.1	0x6f65	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.375930071 CET	192.168.2.5	1.1.1.1	0x80a5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.384397030 CET	192.168.2.5	1.1.1.1	0xde3	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.400557041 CET	192.168.2.5	1.1.1.1	0xabfb	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.408220053 CET	192.168.2.5	1.1.1.1	0x6d47	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:12.357279062 CET	192.168.2.5	1.1.1.1	0x1a5f	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:12.664582968 CET	192.168.2.5	1.1.1.1	0xd7b7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:12.674382925 CET	192.168.2.5	1.1.1.1	0x3ac4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:12.695729017 CET	192.168.2.5	1.1.1.1	0x4c83	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:13.222093105 CET	192.168.2.5	1.1.1.1	0x2278	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.231264114 CET	192.168.2.5	1.1.1.1	0x800f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.239269972 CET	192.168.2.5	1.1.1.1	0x9d14	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:13.955400944 CET	192.168.2.5	1.1.1.1	0xa3f3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.963498116 CET	192.168.2.5	1.1.1.1	0x5225	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:16.427726984 CET	192.168.2.5	1.1.1.1	0x8512	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:16.437227964 CET	192.168.2.5	1.1.1.1	0xd944	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:16.463691950 CET	192.168.2.5	1.1.1.1	0x2669	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:18.470575094 CET	192.168.2.5	1.1.1.1	0x6cca	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.470859051 CET	192.168.2.5	1.1.1.1	0x76ba	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.471096039 CET	192.168.2.5	1.1.1.1	0x54b1	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.478270054 CET	192.168.2.5	1.1.1.1	0x1fc	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.478507042 CET	192.168.2.5	1.1.1.1	0x391b	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.479022026 CET	192.168.2.5	1.1.1.1	0xfbff	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485635996 CET	192.168.2.5	1.1.1.1	0x21e8	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:18.486049891 CET	192.168.2.5	1.1.1.1	0x874e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:18.489554882 CET	192.168.2.5	1.1.1.1	0x51f5	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 1, 2024 08:50:18.492835045 CET	192.168.2.5	1.1.1.1	0x3cc1	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.493299961 CET	192.168.2.5	1.1.1.1	0xda0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.501621008 CET	192.168.2.5	1.1.1.1	0x514b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.502098083 CET	192.168.2.5	1.1.1.1	0x4beb	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.509130955 CET	192.168.2.5	1.1.1.1	0x1088	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:18.509594917 CET	192.168.2.5	1.1.1.1	0xb4d4	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:21.387765884 CET	192.168.2.5	1.1.1.1	0x8023	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:23.688453913 CET	192.168.2.5	1.1.1.1	0xeef3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:32.937350035 CET	192.168.2.5	1.1.1.1	0x8460	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:38.017502069 CET	192.168.2.5	1.1.1.1	0x4a67	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 08:50:38.035254955 CET	192.168.2.5	1.1.1.1	0xa2e3	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.043294907 CET	192.168.2.5	1.1.1.1	0x24c6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.050455093 CET	192.168.2.5	1.1.1.1	0x64bc	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 1, 2024 08:50:38.071280956 CET	192.168.2.5	1.1.1.1	0xb0bb	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.080200911 CET	192.168.2.5	1.1.1.1	0xcaec	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.087819099 CET	192.168.2.5	1.1.1.1	0x158e	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:54.312510967 CET	192.168.2.5	1.1.1.1	0x763a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:54.320452929 CET	192.168.2.5	1.1.1.1	0x4fcb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:50:55.264030933 CET	192.168.2.5	1.1.1.1	0xa91e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:51:08.731044054 CET	192.168.2.5	1.1.1.1	0x6375	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:51:35.328638077 CET	192.168.2.5	1.1.1.1	0x3b81	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:51:35.336677074 CET	192.168.2.5	1.1.1.1	0xbf6e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 08:51:35.954685926 CET	192.168.2.5	1.1.1.1	0x33e6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 08:50:09.382658958 CET	1.1.1.1	192.168.2.5	0x2134	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:09.443033934 CET	1.1.1.1	192.168.2.5	0x8ff7	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:09.988564014 CET	1.1.1.1	192.168.2.5	0x56f6	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:09.997653961 CET	1.1.1.1	192.168.2.5	0x6812	No error (0)	youtube.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.007610083 CET	1.1.1.1	192.168.2.5	0x7495	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 1, 2024 08:50:10.108095884 CET	1.1.1.1	192.168.2.5	0xbc72	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:10.108095884 CET	1.1.1.1	192.168.2.5	0xbc72	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.147331953 CET	1.1.1.1	192.168.2.5	0xf443	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.168935061 CET	1.1.1.1	192.168.2.5	0x9f6e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 08:50:10.423136950 CET	1.1.1.1	192.168.2.5	0x56a1	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.432008982 CET	1.1.1.1	192.168.2.5	0x42c8	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.433907986 CET	1.1.1.1	192.168.2.5	0xc45e	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:10.433907986 CET	1.1.1.1	192.168.2.5	0xc45e	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.447921038 CET	1.1.1.1	192.168.2.5	0x1216	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.765150070 CET	1.1.1.1	192.168.2.5	0xe547	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:10.765150070 CET	1.1.1.1	192.168.2.5	0xe547	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.774477005 CET	1.1.1.1	192.168.2.5	0x80db	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.777592897 CET	1.1.1.1	192.168.2.5	0x8052	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.795224905 CET	1.1.1.1	192.168.2.5	0x6f65	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:10.795224905 CET	1.1.1.1	192.168.2.5	0x6f65	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.382965088 CET	1.1.1.1	192.168.2.5	0x80a5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:11.382965088 CET	1.1.1.1	192.168.2.5	0x80a5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.391261101 CET	1.1.1.1	192.168.2.5	0xde3	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:11.391261101 CET	1.1.1.1	192.168.2.5	0xde3	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:11.391261101 CET	1.1.1.1	192.168.2.5	0xde3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.407725096 CET	1.1.1.1	192.168.2.5	0xabfb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:11.414922953 CET	1.1.1.1	192.168.2.5	0x6d47	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 08:50:12.364835024 CET	1.1.1.1	192.168.2.5	0x1a5f	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:12.671464920 CET	1.1.1.1	192.168.2.5	0xd7b7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:12.681430101 CET	1.1.1.1	192.168.2.5	0x3ac4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.208389044 CET	1.1.1.1	192.168.2.5	0x1c05	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:13.208389044 CET	1.1.1.1	192.168.2.5	0x1c05	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.228843927 CET	1.1.1.1	192.168.2.5	0x2278	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:13.228843927 CET	1.1.1.1	192.168.2.5	0x2278	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.238620043 CET	1.1.1.1	192.168.2.5	0x800f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.947540045 CET	1.1.1.1	192.168.2.5	0x7b2f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:13.962348938 CET	1.1.1.1	192.168.2.5	0xa3f3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:16.435633898 CET	1.1.1.1	192.168.2.5	0x8512	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:16.435633898 CET	1.1.1.1	192.168.2.5	0x8512	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:16.435633898 CET	1.1.1.1	192.168.2.5	0x8512	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:16.445050001 CET	1.1.1.1	192.168.2.5	0xd944	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:16.460724115 CET	1.1.1.1	192.168.2.5	0x1afd	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477399111 CET	1.1.1.1	192.168.2.5	0x6cca	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477775097 CET	1.1.1.1	192.168.2.5	0x76ba	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:18.477775097 CET	1.1.1.1	192.168.2.5	0x76ba	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.478511095 CET	1.1.1.1	192.168.2.5	0x54b1	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:18.478511095 CET	1.1.1.1	192.168.2.5	0x54b1	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485049963 CET	1.1.1.1	192.168.2.5	0x1fc	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.485588074 CET	1.1.1.1	192.168.2.5	0x391b	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.486975908 CET	1.1.1.1	192.168.2.5	0xfbff	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.492300987 CET	1.1.1.1	192.168.2.5	0x21e8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 08:50:18.492300987 CET	1.1.1.1	192.168.2.5	0x21e8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 08:50:18.492300987 CET	1.1.1.1	192.168.2.5	0x21e8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 08:50:18.492300987 CET	1.1.1.1	192.168.2.5	0x21e8	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 08:50:18.492662907 CET	1.1.1.1	192.168.2.5	0x874e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 1, 2024 08:50:18.497112989 CET	1.1.1.1	192.168.2.5	0x51f5	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 1, 2024 08:50:18.499963045 CET	1.1.1.1	192.168.2.5	0xda0	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.500075102 CET	1.1.1.1	192.168.2.5	0x3cc1	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:18.500075102 CET	1.1.1.1	192.168.2.5	0x3cc1	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.500075102 CET	1.1.1.1	192.168.2.5	0x3cc1	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.500075102 CET	1.1.1.1	192.168.2.5	0x3cc1	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.500075102 CET	1.1.1.1	192.168.2.5	0x3cc1	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.508724928 CET	1.1.1.1	192.168.2.5	0x514b	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.509139061 CET	1.1.1.1	192.168.2.5	0x4beb	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.509139061 CET	1.1.1.1	192.168.2.5	0x4beb	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.509139061 CET	1.1.1.1	192.168.2.5	0x4beb	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:18.509139061 CET	1.1.1.1	192.168.2.5	0x4beb	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:23.695218086 CET	1.1.1.1	192.168.2.5	0xeef3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:23.695218086 CET	1.1.1.1	192.168.2.5	0xeef3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.042279959 CET	1.1.1.1	192.168.2.5	0xa2e3	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.042279959 CET	1.1.1.1	192.168.2.5	0xa2e3	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.042279959 CET	1.1.1.1	192.168.2.5	0xa2e3	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.042279959 CET	1.1.1.1	192.168.2.5	0xa2e3	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.049928904 CET	1.1.1.1	192.168.2.5	0x24c6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.049928904 CET	1.1.1.1	192.168.2.5	0x24c6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.049928904 CET	1.1.1.1	192.168.2.5	0x24c6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.049928904 CET	1.1.1.1	192.168.2.5	0x24c6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.058078051 CET	1.1.1.1	192.168.2.5	0x64bc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 08:50:38.058078051 CET	1.1.1.1	192.168.2.5	0x64bc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 08:50:38.058078051 CET	1.1.1.1	192.168.2.5	0x64bc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 08:50:38.058078051 CET	1.1.1.1	192.168.2.5	0x64bc	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 08:50:38.078423023 CET	1.1.1.1	192.168.2.5	0xb0bb	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:38.078423023 CET	1.1.1.1	192.168.2.5	0xb0bb	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:38.087363958 CET	1.1.1.1	192.168.2.5	0xcaec	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:39.426726103 CET	1.1.1.1	192.168.2.5	0xeba4	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:39.426726103 CET	1.1.1.1	192.168.2.5	0xeba4	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:54.319474936 CET	1.1.1.1	192.168.2.5	0x763a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:50:55.270925999 CET	1.1.1.1	192.168.2.5	0xa91e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:50:55.270925999 CET	1.1.1.1	192.168.2.5	0xa91e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:51:08.728976011 CET	1.1.1.1	192.168.2.5	0x4544	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:51:35.335999966 CET	1.1.1.1	192.168.2.5	0x3b81	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 08:51:35.961697102 CET	1.1.1.1	192.168.2.5	0x33e6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 08:51:35.961697102 CET	1.1.1.1	192.168.2.5	0x33e6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	5776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 08:50:10.155452013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:10.756659031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81851 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	34.107.221.82	80	5776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 08:50:11.397779942 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:11.978847980 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58846 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49723	34.107.221.82	80	5776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 08:50:11.770549059 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:12.364876986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81853 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:13.194303036 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:13.317425013 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81854 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:13.940006971 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:14.062854052 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81855 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:16.439763069 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:16.562577009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81857 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:17.104053020 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:17.228049994 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81858 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:17.762048006 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:17.885143995 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81858 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:23.688848972 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:23.811672926 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81864 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:33.554193974 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:33.676731110 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81874 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:37.832755089 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:37.958725929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81878 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:38.668039083 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:38.790818930 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81879 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:39.413919926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:39.536758900 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81880 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:50:49.554083109 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:50:55.263768911 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:50:55.387373924 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81896 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:51:05.400235891 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:09.345967054 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:51:09.469036102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81910 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:51:19.479043007 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:29.506675005 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:35.954421997 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 08:51:36.077049971 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 81937 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 08:51:46.084968090 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:56.097527981 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:52:06.109009027 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49726	34.107.221.82	80	5776	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 08:50:12.425867081 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:13.012589931 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58847 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:13.907687902 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:14.044956923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58848 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:14.087973118 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:14.210802078 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58849 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:16.565541029 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:16.688419104 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58851 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:17.231002092 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:17.361421108 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58852 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:17.887978077 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:18.011476994 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58852 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:23.816129923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:23.939676046 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58858 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:33.681094885 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:33.804193974 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58868 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:37.961909056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:38.084505081 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58873 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:38.793632984 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:38.916729927 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58873 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:39.541795969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:39.664489031 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58874 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:50:49.670099020 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:50:55.390207052 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:50:55.512958050 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58890 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:51:05.516161919 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:09.488614082 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:51:09.808202982 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58904 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:51:19.811227083 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:29.823292017 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:36.080832005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 08:51:36.203780890 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 58931 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 08:51:46.216290951 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:51:56.228641033 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 08:52:06.240545988 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	03:50:02
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x200000
File size:	919'552 bytes
MD5 hash:	48E5C172E53EB45E40FE1CEF7643AA58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2088236013.000000000142F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:50:02
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:50:02
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x730000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:50:05
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	03:50:06
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2092 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be90e5a9-a714-4e9a-b2d9-bae27ca43090} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef03870b10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:50:08
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4188 -parentBuildID 20230927232528 -prefsHandle 4124 -prefMapHandle 4204 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f404cf57-a3ef-442a-af98-a8d562502a5d} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1612bf10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	03:50:12
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5116 -prefMapHandle 5084 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cb7b9e-1b2a-4f54-99f3-e3c24b5654c3} 5776 "\\.\pipe\gecko-crash-server-pipe.5776" 1ef1b599d10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	1600
Total number of Limit Nodes:	51

Executed Functions

Function 002042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0020430D

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

GetCurrentProcess.KERNEL32(?,0029CB64,00000000,?,?), ref: 00204422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00204429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00204454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00204466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00204474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0020447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002044A0

Strings

|O, xrefs: 002436F8
kernel32.dll, xrefs: 0020444F
GetNativeSystemInfo, xrefs: 00204460

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f125783468705732e1a1fd483450d75bccb792d427c11c04d9a6ec856d1b3edd
Instruction ID: b5f4e8fbfd5a1230faa4e949849545b77afb23c47b743b20b99388fff50ee8b6
Opcode Fuzzy Hash: f125783468705732e1a1fd483450d75bccb792d427c11c04d9a6ec856d1b3edd
Instruction Fuzzy Hash: 22A1B4A2D2B3C1FFC795DB69BC4D1957FA5AB26300B1884DBE08193EA2D2704D74CB25

Function 002042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002050AA,?,?,00000000,00000000), ref: 002042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002050AA,?,?,00000000,00000000), ref: 002042C9
LoadResource.KERNEL32(?,00000000,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20), ref: 002435BE
SizeofResource.KERNEL32(?,00000000,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20), ref: 002435D3
LockResource.KERNEL32(002050AA,?,?,002050AA,?,?,00000000,00000000,?,?,?,?,?,?,00204F20,?), ref: 002435E6

Strings

SCRIPT, xrefs: 002042BF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a07192d9ebc03a546002cf8e5b243b4bf824004fe8a8be852f07706023eed763
Instruction ID: b9fdb8b1f72b58d9c632cb234651ff1dea647e89e0f30b6b6b82681ecfab84b3
Opcode Fuzzy Hash: a07192d9ebc03a546002cf8e5b243b4bf824004fe8a8be852f07706023eed763
Instruction Fuzzy Hash: 71117CB0610701BFEB219F65EC48F677BB9EBC5B51F20816AB902D6290DB71D8108630

Function 00242BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00202B6B

Part of subcall function 00203A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D1418,?,00202E7F,?,?,?,00000000), ref: 00203A78

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002C2224), ref: 00242C10
ShellExecuteW.SHELL32(00000000,?,?,002C2224), ref: 00242C17

Strings

runas, xrefs: 00242C0B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 270b6ff55fdb1a3114efe02f767d719401221876f74d85bbdb1ed92ee39a329c
Instruction ID: e2d84b4cf3d1b40a67042554838e3e5275669bb192ccffed00b284f6614f2e80
Opcode Fuzzy Hash: 270b6ff55fdb1a3114efe02f767d719401221876f74d85bbdb1ed92ee39a329c
Instruction Fuzzy Hash: 0011E731624341AAC704FF60D85AABE77A89B91304F44146EF042520E3CF20997DCB52

Function 0026D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0026D501
Process32FirstW.KERNEL32(00000000,?), ref: 0026D50F
Process32NextW.KERNEL32(00000000,?), ref: 0026D52F
CloseHandle.KERNELBASE(00000000), ref: 0026D5DC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 37a7c30cda129fa332607526741d628b0c144b36412e352baf7d41ea0e9d788b
Instruction ID: acf716b85e56ceb9e8dcc2f520fd5f717262e6ca4f1ee8d677d6b707976952cf
Opcode Fuzzy Hash: 37a7c30cda129fa332607526741d628b0c144b36412e352baf7d41ea0e9d788b
Instruction Fuzzy Hash: 9B31D1715183059FD300EF54D885AAFBBF8EF99344F50092DF586831E2EB719998CBA2

Function 0026DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00245222), ref: 0026DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0026DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0026DBEE
FindClose.KERNEL32(00000000), ref: 0026DBFA

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: fd828eed5a0bcbd6a32b21c402c1d106218d4211053b9e707bed1c3e14fb7d98
Instruction ID: 370967a2b6df8efbc8fe01203f399eb2f17250cb4667dbe982c407e33542ca17
Opcode Fuzzy Hash: fd828eed5a0bcbd6a32b21c402c1d106218d4211053b9e707bed1c3e14fb7d98
Instruction Fuzzy Hash: FBF0A030C2091857C220AF7CAC0D8AA376C9E01334BA04707F836C20E0EBB159E486D9

Function 00224CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000,?,002328E9), ref: 00224D09
TerminateProcess.KERNEL32(00000000,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000,?,002328E9), ref: 00224D10
ExitProcess.KERNEL32 ref: 00224D22

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8d2e686bf9d48ff451944051d3ee15c6a486f815e7a73de7d8b0c17119785020
Instruction ID: f31f16f49634838847a491df444bf2d251ed5f5aa7f012b978309fc07e3643f7
Opcode Fuzzy Hash: 8d2e686bf9d48ff451944051d3ee15c6a486f815e7a73de7d8b0c17119785020
Instruction Fuzzy Hash: 22E09271010158BBCB11BF94EE0AA583B69AB45B81B204055FC098A132CB35DA62CA94

Function 0020BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#-, xrefs: 002507CE

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#-
API String ID: 3964851224-1355192918
Opcode ID: 05f4178387383d5fb9156bc47757bb57dba1dbff475bb231a8b3c1fdb6b74d13
Instruction ID: 633399b70ab282d67fbb120002903cf61b229321b655fb36ae75d2e203c225c4
Opcode Fuzzy Hash: 05f4178387383d5fb9156bc47757bb57dba1dbff475bb231a8b3c1fdb6b74d13
Instruction Fuzzy Hash: C5A25BB06283418FD714CF14C480B6AB7E1BF99304F24896DE99A9B392D771EC65CF92

Function 0028AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0028B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028B1D4
_wcslen.LIBCMT ref: 0028B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028B236
_wcslen.LIBCMT ref: 0028B332

Part of subcall function 002705A7: GetStdHandle.KERNEL32(000000F6), ref: 002705C6

_wcslen.LIBCMT ref: 0028B34B
_wcslen.LIBCMT ref: 0028B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0028B3B6
GetLastError.KERNEL32(00000000), ref: 0028B407
CloseHandle.KERNEL32(?), ref: 0028B439
CloseHandle.KERNEL32(00000000), ref: 0028B44A
CloseHandle.KERNEL32(00000000), ref: 0028B45C
CloseHandle.KERNEL32(00000000), ref: 0028B46E
CloseHandle.KERNEL32(?), ref: 0028B4E3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e679c9838f557072844364932a7ddff0c3fbd24ea682475cfa374646f2de8d73
Instruction ID: 5c4a37476a7e900db099f32e5272ae6888969620ed2e7557a7690fcfdbccfc0b
Opcode Fuzzy Hash: e679c9838f557072844364932a7ddff0c3fbd24ea682475cfa374646f2de8d73
Instruction Fuzzy Hash: 19F1AB355293019FC725EF24C891B6ABBE4AF85310F18855DF8998B2E2CB31EC64CF52

Function 0020D730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0020D807
timeGetTime.WINMM ref: 0020DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB28
TranslateMessage.USER32(?), ref: 0020DB7B
DispatchMessageW.USER32(?), ref: 0020DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB9F
Sleep.KERNELBASE(0000000A), ref: 0020DBB1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ba601c1606a5d5494d65582fc59ab61891df9e27a426de01cf9f8387f3212af6
Instruction ID: e3ca565a883ca4d2c21e84e3a48bd78290862a7b30426520744f658d5457d2ad
Opcode Fuzzy Hash: ba601c1606a5d5494d65582fc59ab61891df9e27a426de01cf9f8387f3212af6
Instruction Fuzzy Hash: 8142F330629342EFD728CF64C848BAAB7E4BF46305F14855EE855872D2D770E868CF96

Function 00202CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00202D07
RegisterClassExW.USER32(00000030), ref: 00202D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202D42
InitCommonControlsEx.COMCTL32(?), ref: 00202D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202D6F
LoadIconW.USER32(000000A9), ref: 00202D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00202D94

Strings

AutoIt v3 GUI, xrefs: 00202D23
+, xrefs: 00202CF0
TaskbarCreated, xrefs: 00202D37
0, xrefs: 00202CE9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f5bd53e8581d377de13c2485013dc63e6965a3ab1f93a1293bc6fd721ac4995
Instruction ID: fe83d269493b22434e8f1a2cb25afb6b110d67f304db47637871b72e7f093244
Opcode Fuzzy Hash: 8f5bd53e8581d377de13c2485013dc63e6965a3ab1f93a1293bc6fd721ac4995
Instruction Fuzzy Hash: 6F21B2B5D52218AFEB00DFA4F85DADDBBB8FB08700F20411BE511A62A0D7B149548F91

Function 0024065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0024039A: CreateFileW.KERNELBASE(00000000,00000000,?,00240704,?,?,00000000,?,00240704,00000000,0000000C), ref: 002403B7

GetLastError.KERNEL32 ref: 0024076F
__dosmaperr.LIBCMT ref: 00240776
GetFileType.KERNELBASE(00000000), ref: 00240782
GetLastError.KERNEL32 ref: 0024078C
__dosmaperr.LIBCMT ref: 00240795
CloseHandle.KERNEL32(00000000), ref: 002407B5
CloseHandle.KERNEL32(?), ref: 002408FF
GetLastError.KERNEL32 ref: 00240931
__dosmaperr.LIBCMT ref: 00240938

Strings

H, xrefs: 002408BD

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fa59d16149e8fc4844a7c033801ef29f764fe2b83bb36fa2f8271451863ed38f
Instruction ID: e8c93175ba515a2688bc1f8a870cf69565f8592be85ec70ae073dc6ccf5f84c0
Opcode Fuzzy Hash: fa59d16149e8fc4844a7c033801ef29f764fe2b83bb36fa2f8271451863ed38f
Instruction Fuzzy Hash: CCA14732A201158FDF1DAF68D895BAD7BB0EB06320F24015EF9159F291CB349C62CF91

Function 0020344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00203A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002D1418,?,00202E7F,?,?,?,00000000), ref: 00203A78

Part of subcall function 00203357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00203379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0020356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0024318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002431CE
RegCloseKey.ADVAPI32(?), ref: 00243210
_wcslen.LIBCMT ref: 00243277
_wcslen.LIBCMT ref: 00243286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00203560
\, xrefs: 0024328C
\Include\, xrefs: 00203527
Include, xrefs: 00243184, 002431C5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2d6850618fc5b116a5c9e6c0c7a3ddd80d254b8487c6d731aaa3efdcb0812e6d
Instruction ID: fdca7d1f4d720d3dce842891ded1ce40520c3785b98803f47061ec0a8ec57c76
Opcode Fuzzy Hash: 2d6850618fc5b116a5c9e6c0c7a3ddd80d254b8487c6d731aaa3efdcb0812e6d
Instruction Fuzzy Hash: 2071AD71925301DEC344EF69EC8686BBBE8FFA5340F40042EF545931A1EB708A58CF61

Function 00202B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00202B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00202B9D
LoadIconW.USER32(00000063), ref: 00202BB3
LoadIconW.USER32(000000A4), ref: 00202BC5
LoadIconW.USER32(000000A2), ref: 00202BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00202BEF
RegisterClassExW.USER32(?), ref: 00202C40

Part of subcall function 00202CD4: GetSysColorBrush.USER32(0000000F), ref: 00202D07
Part of subcall function 00202CD4: RegisterClassExW.USER32(00000030), ref: 00202D31
Part of subcall function 00202CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202D42
Part of subcall function 00202CD4: InitCommonControlsEx.COMCTL32(?), ref: 00202D5F
Part of subcall function 00202CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202D6F
Part of subcall function 00202CD4: LoadIconW.USER32(000000A9), ref: 00202D85
Part of subcall function 00202CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00202D94

Strings

0, xrefs: 00202C0F
#, xrefs: 00202C16
AutoIt v3, xrefs: 00202C2F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e22e853f66927e66dc865f623577199c5b5646ac90b61a184102b4277b2564f4
Instruction ID: 5431dd4643c46326e53ec13b3caaa388964e620f082a38e3002ada5343ed5413
Opcode Fuzzy Hash: e22e853f66927e66dc865f623577199c5b5646ac90b61a184102b4277b2564f4
Instruction Fuzzy Hash: C7213A70E52314BBDB509FE5FC4DAA9BFB8FB08B50F50019BE504A6AA0D3B10960CF90

Function 00203170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0020316A,?,?), ref: 002031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0020316A,?,?), ref: 00203204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00203227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0020316A,?,?), ref: 00203232
CreatePopupMenu.USER32 ref: 00203246
PostQuitMessage.USER32(00000000), ref: 00203267

Strings

TaskbarCreated, xrefs: 0020322D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e63a5d56a1fedd34d6c7477cb6b3b648738017ab63228933818738bc940245e7
Instruction ID: 6adff9a756f0fe4b13f0d3a40d49af829d6ed47bbe209577d08d3d60b33d7520
Opcode Fuzzy Hash: e63a5d56a1fedd34d6c7477cb6b3b648738017ab63228933818738bc940245e7
Instruction Fuzzy Hash: 89411735670301BBDB149FB8AC2DBB9775DEB09340F140117F906866E3CBA19EB09B61

Function 0020EC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020FE66

Strings

D%-, xrefs: 0020F36A
D%-, xrefs: 0020EFB7
D%-, xrefs: 0025491E
D%-, xrefs: 00254972
D%-D%-, xrefs: 0020F05B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%-$D%-$D%-$D%-$D%-D%-
API String ID: 1385522511-1705906001
Opcode ID: 38a9870206979b99145bd8c96c6883d1cc3c88b429bd6cf6fed7d217e0cf0cc6
Instruction ID: 1a3258a4495df9f26f47a32a37323eac00e60fa3e224841ebf7775de691a989c
Opcode Fuzzy Hash: 38a9870206979b99145bd8c96c6883d1cc3c88b429bd6cf6fed7d217e0cf0cc6
Instruction Fuzzy Hash: 13B2BD74A28341CFDB64CF14D580A2AB7E1BF99304F24486EE8858B792D771ECA5CF52

Function 00201410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00201459
CoUninitialize.COMBASE ref: 002014F8
UnregisterHotKey.USER32(?), ref: 002016DD
DestroyWindow.USER32(?), ref: 002424B9
FreeLibrary.KERNEL32(?), ref: 0024251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0024254B

Strings

close all, xrefs: 00201454

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 960a070f22ffd22b4b87bf8f96d3b194103e7e7a9cab6b778b3fba9e69982ac2
Instruction ID: 0873fea78383b76c08d82c9a04c8ebfe87f2cae208ccb81571da52d66f6d00b2
Opcode Fuzzy Hash: 960a070f22ffd22b4b87bf8f96d3b194103e7e7a9cab6b778b3fba9e69982ac2
Instruction Fuzzy Hash: FFD18D31721212CFDB19EF15C899B29F7A4BF05700FA5419DE84A6B2A2CB31AD76CF50

Function 00202C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00202C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00202CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00201CAD,?), ref: 00202CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00201CAD,?), ref: 00202CCF

Strings

edit, xrefs: 00202CAC
AutoIt v3, xrefs: 00202C89, 00202C8E, 00202C8F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 17e8d93ab04cc1e33a1029a0581574e5578bac405ab7bad86b76d56cbfb10844
Instruction ID: 0d53799a7e6c872a290403ec150b5017696ea61d65ec9b2ddc929fc00183478f
Opcode Fuzzy Hash: 17e8d93ab04cc1e33a1029a0581574e5578bac405ab7bad86b76d56cbfb10844
Instruction Fuzzy Hash: 84F0D475A412907BEB711B27BC0CEB76FBDD7CAF60B10009BF904A29A0C6611C60DAB0

Function 00203B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00203B0F,SwapMouseButtons,00000004,?), ref: 00203B83

Strings

Control Panel\Mouse, xrefs: 00203B3E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e2ecc2379685a33b730daa34e6c857ae43b0ed4ea0d309358c8f4e58b1530a48
Instruction ID: 9e47900dd3e12d35c13c3c61bb340637e7900188cc89ed6880f9a7a637f5e19f
Opcode Fuzzy Hash: e2ecc2379685a33b730daa34e6c857ae43b0ed4ea0d309358c8f4e58b1530a48
Instruction Fuzzy Hash: 17112AB5520209FFDB20CFA5DC89AAEBBBCEF04748B10445AA805D7250D2719E549760

Function 00203923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002433A2

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00203A04

Strings

Line: , xrefs: 002433EB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: bf16a3a7c726686d613af1c4bf7320bc8c8bc4de97001c825f7e9926b6b466cb
Instruction ID: 63eeea5360f03d379867d46ee373b09189b14d54e30a257a5eadd1e38af5cf11
Opcode Fuzzy Hash: bf16a3a7c726686d613af1c4bf7320bc8c8bc4de97001c825f7e9926b6b466cb
Instruction Fuzzy Hash: 3331E371929305AAC324EF20EC49BEBB7DCAF40710F00456BF599825D2DB709A79CBC2

Function 00202DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00242C8C

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 00202DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00202DC4

Strings

X, xrefs: 00242C5A
`e,, xrefs: 00242C85

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e,
API String ID: 779396738-2207544159
Opcode ID: 51e431e46424df785fef84a9417dd50615fe4682161503707f1e18b31b916665
Instruction ID: 7d6d8763d6f572351b3f5f984012d0dde620c7e60b3ce5f2bd51e2f132ec22a1
Opcode Fuzzy Hash: 51e431e46424df785fef84a9417dd50615fe4682161503707f1e18b31b916665
Instruction Fuzzy Hash: 6821A871A203589FCB15EF94D849BDE7BFC9F49304F40405AE405B7282DBB459AD8F61

Function 0021FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00220668

Part of subcall function 002232A4: RaiseException.KERNEL32(?,?,?,0022068A,?,002D1444,?,?,?,?,?,?,0022068A,00201129,002C8738,00201129), ref: 00223304

__CxxThrowException@8.LIBVCRUNTIME ref: 00220685

Strings

Unknown exception, xrefs: 00220692

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 1f827c36c638bca9d09f11055417a9f0aeca54a3e2c8414bbdaf774f6a0479ca
Instruction ID: ef40377ad867358bd675dc8b8535461899ca59a42eb3576e7de9b31567624fc9
Opcode Fuzzy Hash: 1f827c36c638bca9d09f11055417a9f0aeca54a3e2c8414bbdaf774f6a0479ca
Instruction Fuzzy Hash: A4F0C83492021DB7CF00BAE4F886DAE776C5E00310B604575F924D5593EF75DA75C9C0

Function 002010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00201BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00201BF4
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00201BFC
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00201C07
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00201C12
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00201C1A
Part of subcall function 00201BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00201C22

Part of subcall function 00201B4A: RegisterWindowMessageW.USER32(00000004,?,002012C4), ref: 00201BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0020136A
OleInitialize.OLE32 ref: 00201388
CloseHandle.KERNEL32(00000000,00000000), ref: 002424AB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: dff831a966545ba5180b226314a45ee1ebe3253564e1fa8e66db6b24c42226b5
Instruction ID: 1f584e73b5f84667f27336408e1034a2c7389931cb7c901026690233d259918e
Opcode Fuzzy Hash: dff831a966545ba5180b226314a45ee1ebe3253564e1fa8e66db6b24c42226b5
Instruction Fuzzy Hash: 0C718EB4E22340AED784DFB9B9496553BE5FB88344394826BD40AC7BA2E7384C74CF51

Function 0026C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00203923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00203A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0026C259
KillTimer.USER32(?,00000001,?,?), ref: 0026C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0026C270

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: fe10009e6e828d9b74a8c7c35ed2ea27cf8d9f3989f83eb33b08d430d19593f8
Instruction ID: 9c52610cd0b83a05dfc5c38d15e4d74d2ca642aed962885cbd3cf6fcb27699af
Opcode Fuzzy Hash: fe10009e6e828d9b74a8c7c35ed2ea27cf8d9f3989f83eb33b08d430d19593f8
Instruction Fuzzy Hash: 73319570914344AFEB22DF6498A9BE7BBEC9F06304F10049AD9DE97241C7745AD4CB51

Function 002386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002385CC,?,002C8CC8,0000000C), ref: 00238704
GetLastError.KERNEL32(?,002385CC,?,002C8CC8,0000000C), ref: 0023870E
__dosmaperr.LIBCMT ref: 00238739

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 681662943b094bf9167319b499c87dfbeb5a1db6cc07b9d43b3cb8fc2328f258
Instruction ID: c4f1c1d6bad67e8b6f06377275dc36516d6238d375b8fb2d0fcf3d4d1d51549f
Opcode Fuzzy Hash: 681662943b094bf9167319b499c87dfbeb5a1db6cc07b9d43b3cb8fc2328f258
Instruction Fuzzy Hash: 9C016BB2A353302AD6206734694A77E675D4B82774F38015AF8198F0D2DEA0CC918950

Function 0020DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0020DB7B
DispatchMessageW.USER32(?), ref: 0020DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020DB9F
Sleep.KERNELBASE(0000000A), ref: 0020DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00251CC9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 9d7687756aebccb6397eacadfdc1941134475f8f83d702450a9f76ce0f189c87
Instruction ID: 095e2f7b3e94998e781c151c7ed0f04f76db841a9ab2ea11f01897be79fddf8d
Opcode Fuzzy Hash: 9d7687756aebccb6397eacadfdc1941134475f8f83d702450a9f76ce0f189c87
Instruction Fuzzy Hash: 14F054306553419BE730CBA09C49FEA73ACEF44311F504516E609C30C0DB309468DB16

Function 00211310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002117F6

Strings

CALL, xrefs: 002117C6

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: c790114980dc9bfa5df99db23cebe77c735de66def5120686db52169ba6f84a0
Instruction ID: f157ad32bed1a4035642ae6364efa048bb86cb2a7340fad2bdca2cd61c0af1d9
Opcode Fuzzy Hash: c790114980dc9bfa5df99db23cebe77c735de66def5120686db52169ba6f84a0
Instruction Fuzzy Hash: EE22BD706283029FC714CF14C484A6ABBF1BFA5304F64895DF9968B3A1D772E8A5CF42

Function 00203837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203908

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 98df92bd9ca4676e0041a218f16650ff5ea2fff9baef7bd461c4b0e96bac0dab
Instruction ID: d629178ff3932365396016941a75e50fb8ce66dbc0b3755fde00d4ea42ae9315
Opcode Fuzzy Hash: 98df92bd9ca4676e0041a218f16650ff5ea2fff9baef7bd461c4b0e96bac0dab
Instruction Fuzzy Hash: 8231D770A15301DFD360DF24E888797BBE8FB49308F00096FF59983281D771AA64CB52

Function 0021F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0021F661

Part of subcall function 0020D730: GetInputState.USER32 ref: 0020D807

Sleep.KERNEL32(00000000), ref: 0025F2DE

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: d842ab8386338de74a01bb8bdcdbddb196921849ec610068fc9202c640e01a56
Instruction ID: 975073ee4153995e77e70d28d28ecd3bc372d15e9ed4f957b0900232307fd33e
Opcode Fuzzy Hash: d842ab8386338de74a01bb8bdcdbddb196921849ec610068fc9202c640e01a56
Instruction Fuzzy Hash: 85F058312502059FD354EF79E949BAABBE8AB49761F00006AE85DC72A1DB70A8108F94

Function 00204ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00204E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E9C
Part of subcall function 00204E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00204EAE
Part of subcall function 00204E90: FreeLibrary.KERNEL32(00000000,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EFD

Part of subcall function 00204E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E62
Part of subcall function 00204E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00204E74
Part of subcall function 00204E59: FreeLibrary.KERNEL32(00000000,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E87

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cf9902ab07751b88b9f657d32cb39e4e10c1988a222eae9ac77facd25183458a
Instruction ID: fe1fbf338bc439fe3193e8c34ea2fe7accdbcd4d63f17d8285719747a9f68557
Opcode Fuzzy Hash: cf9902ab07751b88b9f657d32cb39e4e10c1988a222eae9ac77facd25183458a
Instruction Fuzzy Hash: 58110471630306AACF14FF60DC46BAD77A59F40715F20842EF642A61C2DEB49A249F50

Function 00238402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00238440

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7d1ea554090d43e850c88e0e2753520523b0111ddba6ae3f3ad7894c0b9b37cb
Instruction ID: 7db056eb6794f82da8ffb6a77147c61969770f1f1a816acd14ac1ae3b33db412
Opcode Fuzzy Hash: 7d1ea554090d43e850c88e0e2753520523b0111ddba6ae3f3ad7894c0b9b37cb
Instruction Fuzzy Hash: C31118B591420AAFCF15DF58E94199A7BF5EF48314F104059F908AB312DB31EA21CBA5

Function 00235000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00234C7D: RtlAllocateHeap.NTDLL(00000008,00201129,00000000,?,00232E29,00000001,00000364,?,?,?,0022F2DE,00233863,002D1444,?,0021FDF5,?), ref: 00234CBE

_free.LIBCMT ref: 0023506C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: e0072f3ef053dede176f56f52f2d75d3c9bf4bb50b3ca636c63331bd82c23a40
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 760149F2214715ABE335CF65D881A5AFBECFB89370F25051DE188832C0EA71A905CBB4

Function 0022E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ae3882fba8a16c76af1098a80d040220e23d087ad03a24a866eb9356d4d1d3c0
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: ECF0F472530A34F6DA313EA9AC05B6A339C9F52331F110725F920961D2DBB4A8259EA5

Function 00234C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00201129,00000000,?,00232E29,00000001,00000364,?,?,?,0022F2DE,00233863,002D1444,?,0021FDF5,?), ref: 00234CBE

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f75465f3791b294c81e97ee91907f14dd28aca2c08e34f5563d6f4c07f4569fb
Instruction ID: ecef870158bdf84b7a41f03e98fd0bb5a2b531a80ba0d60babd77e19febfeb48
Opcode Fuzzy Hash: f75465f3791b294c81e97ee91907f14dd28aca2c08e34f5563d6f4c07f4569fb
Instruction Fuzzy Hash: CFF0247163223176DB203FA2AC08B5A3788AF413A0F1459A3B809A61A1CA70FC3146A0

Function 00233820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 537aa0aec451b5a9935bcaab485025f070edb6a40ff1c66666822310097b3c04
Instruction ID: d9c1643096608bc7bb40f8381f9d099a0314a8c15fd514db3e83554ca552af77
Opcode Fuzzy Hash: 537aa0aec451b5a9935bcaab485025f070edb6a40ff1c66666822310097b3c04
Instruction Fuzzy Hash: 19E0E572631236A6E6216EA6AC04B9A3749AF427B0F150132BC04928A0CB50DF2185E4

Function 00204F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204F6D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b26fa6113463d5867f8dec01e398e40dd05378e13acc85b57a23db45593773a4
Instruction ID: 2d40abbe2a1378e6fcee8b154590cdbb24066151b01a3d1bd9edc9f035588f22
Opcode Fuzzy Hash: b26fa6113463d5867f8dec01e398e40dd05378e13acc85b57a23db45593773a4
Instruction Fuzzy Hash: 4EF01CB1125753CFDB34AF64E498822B7E4AF14319320C96EE3DA82952C7719854DF10

Function 00292A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00292A66

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e8686999528041152e1b79c53cc74ed22891c0d3dc8f61839a979e253a5d760b
Instruction ID: 0e6269281f0d5da05457045a7668c204b35c1e2ba2b58396a15d638d9c27220f
Opcode Fuzzy Hash: e8686999528041152e1b79c53cc74ed22891c0d3dc8f61839a979e253a5d760b
Instruction Fuzzy Hash: 42E04F77374116FACB14EA30EC808FA735CEF603957104536AC1AD2100DF3099B98AA0

Function 002030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0020314E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1b2ed73e1deb44ac09fd2ebc51b8bdcbece604f4b053af408e524d808e05dd43
Instruction ID: 89c339c5362595cee083794805db926aadd324a66196ea298d7b4659a1fce347
Opcode Fuzzy Hash: 1b2ed73e1deb44ac09fd2ebc51b8bdcbece604f4b053af408e524d808e05dd43
Instruction Fuzzy Hash: 80F0A770A10354AFE792DF24EC497D57BBCAB01708F0000E6A14896182D7705B98CF41

Function 00202DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00202DC4

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f8244720df200c6c657f6c74a186e182122680619bde9c270efe906f62c51c71
Instruction ID: 7c1f832b085b0a0e9eb3479f924c460f08853bbe187d5a2a5cd3c229d90d5fd5
Opcode Fuzzy Hash: f8244720df200c6c657f6c74a186e182122680619bde9c270efe906f62c51c71
Instruction Fuzzy Hash: DEE0CD72A002245BC720D7589C09FDA77DDDFC8790F050071FD09E7249D960AD948950

Function 00202B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00203837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203908

Part of subcall function 0020D730: GetInputState.USER32 ref: 0020D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00202B6B

Part of subcall function 002030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0020314E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b9f547c598ff2f09b32fdfcbeb9f39114a3fc2cf6aa792e12f6d271806f6f8ee
Instruction ID: 3fb91a48a9474533e66ea5a734c2209e24c0cf998b3b34f43b1ca0942a9963cc
Opcode Fuzzy Hash: b9f547c598ff2f09b32fdfcbeb9f39114a3fc2cf6aa792e12f6d271806f6f8ee
Instruction Fuzzy Hash: 1EE0262132030417C704FB70A85657DB34D8BD1311F00053FF142836E3CE2049794A11

Function 0024039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00240704,?,?,00000000,?,00240704,00000000,0000000C), ref: 002403B7

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 78044742d53e06dfd84add41016d4880685865009ef6ca2bec8c8bdaa21260f1
Instruction ID: da7ebe3b912759a88846c7a8b590f85ca7d37b2e91784f86eab2b38e0fa55ba8
Opcode Fuzzy Hash: 78044742d53e06dfd84add41016d4880685865009ef6ca2bec8c8bdaa21260f1
Instruction Fuzzy Hash: 0BD06C3204010DBBDF028F84ED06EDA3BAAFB48714F114000BE1856020C732E821AB94

Function 00201CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00201CBC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 5596f8e02d39b58150911a0c866166a73979ff64f26e6ad2d3ff2ebbf7de2558
Instruction ID: 83c73bc3b50f6312f9a2379230ce82a2eacdf938060e0754e3a6ebaa1e72f3bd
Opcode Fuzzy Hash: 5596f8e02d39b58150911a0c866166a73979ff64f26e6ad2d3ff2ebbf7de2558
Instruction Fuzzy Hash: C3C09236681304EFF2188B84BC4EF107764E358B00F948003F609B99E3C3A22C20EA50

Non-executed Functions

Function 00299576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0029961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0029965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0029969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002996C9
SendMessageW.USER32 ref: 002996F2
GetKeyState.USER32(00000011), ref: 0029978B
GetKeyState.USER32(00000009), ref: 00299798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002997AE
GetKeyState.USER32(00000010), ref: 002997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002997E9
SendMessageW.USER32 ref: 00299810
SendMessageW.USER32(?,00001030,?,00297E95), ref: 00299918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0029992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00299941
SetCapture.USER32(?), ref: 0029994A
ClientToScreen.USER32(?,?), ref: 002999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002999D6
ReleaseCapture.USER32 ref: 002999E1
GetCursorPos.USER32(?), ref: 00299A19
ScreenToClient.USER32(?,?), ref: 00299A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00299A80
SendMessageW.USER32 ref: 00299AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00299AEB
SendMessageW.USER32 ref: 00299B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00299B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00299B4A
GetCursorPos.USER32(?), ref: 00299B68
ScreenToClient.USER32(?,?), ref: 00299B75
GetParent.USER32(?), ref: 00299B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00299BFA
SendMessageW.USER32 ref: 00299C2B
ClientToScreen.USER32(?,?), ref: 00299C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00299CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00299CDE
SendMessageW.USER32 ref: 00299D01
ClientToScreen.USER32(?,?), ref: 00299D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00299D82

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

GetWindowLongW.USER32(?,000000F0), ref: 00299E05

Strings

p#-, xrefs: 00299990
F, xrefs: 00299D07
@GUI_DRAGID, xrefs: 0029997D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#-
API String ID: 3429851547-2933316088
Opcode ID: a8dffc416c9126e6ef83f799058f99d42559790e54779f897bf7c1c5d0d8cfa2
Instruction ID: 3409c0686f108de0dfbdcc1b6d42577c0a7edce1153e26b9a97666d6e1666e3d
Opcode Fuzzy Hash: a8dffc416c9126e6ef83f799058f99d42559790e54779f897bf7c1c5d0d8cfa2
Instruction Fuzzy Hash: 7D429071624201AFDB24CF68DC58AAABBE9FF49320F10461EF599872A1D771D8B0CF51

Function 00294873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00294908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00294927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0029494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0029495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0029497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00294A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00294A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00294A7E
IsMenu.USER32(?), ref: 00294A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00294AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00294B20
GetWindowLongW.USER32(?,000000F0), ref: 00294B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00294BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00294C82
wsprintfW.USER32 ref: 00294CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00294CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00294CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00294D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00294D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00294D5A

Strings

%d/%02d/%02d, xrefs: 00294CA8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 9e229ee2b36eeea84fc31b0dce06505ebc59675d4380134e8181b140eba501a8
Instruction ID: d9020543b743cb95b4c6abbb786103d2ce0cca5e31c7d5852f595f83023084b1
Opcode Fuzzy Hash: 9e229ee2b36eeea84fc31b0dce06505ebc59675d4380134e8181b140eba501a8
Instruction Fuzzy Hash: 6B121371620215ABEF28AF24DC49FAE7BF8EF85310F10412AF915EB2E1D7749952CB50

Function 0021F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0021F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0025F474
IsIconic.USER32(00000000), ref: 0025F47D
ShowWindow.USER32(00000000,00000009), ref: 0025F48A
SetForegroundWindow.USER32(00000000), ref: 0025F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025F4AA
GetCurrentThreadId.KERNEL32 ref: 0025F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0025F4DE
SetForegroundWindow.USER32(00000000), ref: 0025F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F4F6
keybd_event.USER32(00000012,00000000), ref: 0025F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F50B
keybd_event.USER32(00000012,00000000), ref: 0025F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F519
keybd_event.USER32(00000012,00000000), ref: 0025F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025F528
keybd_event.USER32(00000012,00000000), ref: 0025F52D
SetForegroundWindow.USER32(00000000), ref: 0025F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0025F557

Strings

Shell_TrayWnd, xrefs: 0025F46F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8a43b5215d6e4b3e2be2c72292cf23a4baacd14f74fb06a0a4ff74cb676b2ff1
Instruction ID: bb79609caa00881b8504aa4160283b57cb795ac918cd9fa6756c829ce8f89cb1
Opcode Fuzzy Hash: 8a43b5215d6e4b3e2be2c72292cf23a4baacd14f74fb06a0a4ff74cb676b2ff1
Instruction Fuzzy Hash: 00319071A50318BBEB206FB56D4EFBF7E6CEB44B50F600026FA04F61D1D6B05D10AAA4

Function 00261201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
Part of subcall function 002616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
Part of subcall function 002616C3: GetLastError.KERNEL32 ref: 0026174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00261286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002612A8
CloseHandle.KERNEL32(?), ref: 002612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002612D1
GetProcessWindowStation.USER32 ref: 002612EA
SetProcessWindowStation.USER32(00000000), ref: 002612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00261310

Part of subcall function 002610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002611FC), ref: 002610D4
Part of subcall function 002610BF: CloseHandle.KERNEL32(?,?,002611FC), ref: 002610E9

Strings

Z,, xrefs: 00261392
, xrefs: 0026125A
winsta0, xrefs: 002612CC
default, xrefs: 0026130B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z,
API String ID: 22674027-3239213951
Opcode ID: 56cf93ad611bf95ac13ecbcff95227a08f21860e337883ef1586cbb2a1c8b19c
Instruction ID: 92de5ebcfe62b8706f938e08d600c66c48af3401f0caf2219645eb9457258aff
Opcode Fuzzy Hash: 56cf93ad611bf95ac13ecbcff95227a08f21860e337883ef1586cbb2a1c8b19c
Instruction Fuzzy Hash: CC81AF71910249BFDF119FA4DC49FEE7BB9EF04704F18412AF910A61A0DB71A9B4CB61

Function 00260B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
Part of subcall function 002610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
Part of subcall function 002610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
Part of subcall function 002610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00260BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00260C00
GetLengthSid.ADVAPI32(?), ref: 00260C17
GetAce.ADVAPI32(?,00000000,?), ref: 00260C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00260C6D
GetLengthSid.ADVAPI32(?), ref: 00260C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00260C8C
HeapAlloc.KERNEL32(00000000), ref: 00260C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00260CB4
CopySid.ADVAPI32(00000000), ref: 00260CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00260CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00260D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00260D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D45
HeapFree.KERNEL32(00000000), ref: 00260D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D55
HeapFree.KERNEL32(00000000), ref: 00260D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260D65
HeapFree.KERNEL32(00000000), ref: 00260D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00260D78
HeapFree.KERNEL32(00000000), ref: 00260D7F

Part of subcall function 00261193: GetProcessHeap.KERNEL32(00000008,00260BB1,?,00000000,?,00260BB1,?), ref: 002611A1
Part of subcall function 00261193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260BB1,?), ref: 002611A8
Part of subcall function 00261193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00260BB1,?), ref: 002611B7

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f33e3eeeea4306680abf170c900927efcfb0c2e7aa2e5659660e261f12301a66
Instruction ID: ee0fb0ee7a7647134d5820eb946b2558c828c8a29920e40da42ccfa74161674a
Opcode Fuzzy Hash: f33e3eeeea4306680abf170c900927efcfb0c2e7aa2e5659660e261f12301a66
Instruction Fuzzy Hash: 3A716B7291020AAFDF10DFA4EC88FAFBBB8FF05300F144626E918A6191D771A955DB60

Function 0027EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0029CC08), ref: 0027EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0027EB37
GetClipboardData.USER32(0000000D), ref: 0027EB43
CloseClipboard.USER32 ref: 0027EB4F
GlobalLock.KERNEL32(00000000), ref: 0027EB87
CloseClipboard.USER32 ref: 0027EB91
GlobalUnlock.KERNEL32(00000000), ref: 0027EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0027EBC9
GetClipboardData.USER32(00000001), ref: 0027EBD1
GlobalLock.KERNEL32(00000000), ref: 0027EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0027EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0027EC38
GetClipboardData.USER32(0000000F), ref: 0027EC44
GlobalLock.KERNEL32(00000000), ref: 0027EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0027EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0027ECF3
CountClipboardFormats.USER32 ref: 0027ED14
CloseClipboard.USER32 ref: 0027ED59

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 82f5057185b73262ade629c0ff893b92944c1a929fe86a22e264794ee6de55f3
Instruction ID: 8ae1f2b527ee85516679b1302af1942031d5d901b18228884b7c51e47b606eca
Opcode Fuzzy Hash: 82f5057185b73262ade629c0ff893b92944c1a929fe86a22e264794ee6de55f3
Instruction Fuzzy Hash: 6A61E5742143029FD710EF24D889F2A7BA8BF88704F15959EF85A872A2DB30DD55CB72

Function 0027698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002769BE
FindClose.KERNEL32(00000000), ref: 00276A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00276A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00276A75

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00276AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00276ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00276B32
%4d, xrefs: 00276BB1
%02d, xrefs: 00276C00, 00276C0A, 00276C5A, 00276CAA, 00276CFA, 00276D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00276B6A
%03d, xrefs: 00276DA2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 82aabe15dd2b75aad9a300e848dd6617c0d343ad8ff761eec4b2c411dbbd87b3
Instruction ID: b499229ecbd52ab77bb5ce92905e9de8a4757077d39ed0fa9fedec7c3bbc5eea
Opcode Fuzzy Hash: 82aabe15dd2b75aad9a300e848dd6617c0d343ad8ff761eec4b2c411dbbd87b3
Instruction Fuzzy Hash: 66D173B1518301AFC310EFA0C985EABB7ECAF98704F44491EF589D7192EB74DA54CB62

Function 00279642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00279663
GetFileAttributesW.KERNEL32(?), ref: 002796A1
SetFileAttributesW.KERNEL32(?,?), ref: 002796BB
FindNextFileW.KERNEL32(00000000,?), ref: 002796D3
FindClose.KERNEL32(00000000), ref: 002796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0027974A
SetCurrentDirectoryW.KERNEL32(002C6B7C), ref: 00279768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00279772
FindClose.KERNEL32(00000000), ref: 0027977F
FindClose.KERNEL32(00000000), ref: 0027978F

Strings

*.*, xrefs: 002796F5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 09b9ffb0dc0fb2e5b5b2b08a0fc98fbbf5fd984b2705b80eac4dbf9ea3a06912
Instruction ID: fe41aaead8092e5c80780116033f272872798f4d934faaaae5fc72f5aa7dc9df
Opcode Fuzzy Hash: 09b9ffb0dc0fb2e5b5b2b08a0fc98fbbf5fd984b2705b80eac4dbf9ea3a06912
Instruction Fuzzy Hash: 5D31A47256131A6ADB14DFB4EC4DEEE77AC9F09320F108256E819E2190DB30DD948A24

Function 0027979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00279819
FindClose.KERNEL32(00000000), ref: 00279824
FindFirstFileW.KERNEL32(*.*,?), ref: 00279840
SetCurrentDirectoryW.KERNEL32(?), ref: 00279890
SetCurrentDirectoryW.KERNEL32(002C6B7C), ref: 002798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002798B8
FindClose.KERNEL32(00000000), ref: 002798C5
FindClose.KERNEL32(00000000), ref: 002798D5

Part of subcall function 0026DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0026DB00

Strings

*.*, xrefs: 0027983B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 81321c90b2245b17f88db918110b17c8d5c3373eb49bcee8fadc31983af16056
Instruction ID: f2fac32b5af57790aeff84d32dd34c94c34fd2050e902e3568fe7630fe70b797
Opcode Fuzzy Hash: 81321c90b2245b17f88db918110b17c8d5c3373eb49bcee8fadc31983af16056
Instruction Fuzzy Hash: 5731A33155171A7ADF10EFB4EC48EDE77AC9F06324F2481A6E818A21D0DB70DDA4CE65

Function 0028BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0028BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0028BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0028C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0028C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0028C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0028C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0028C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0028C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0028C382
RegCloseKey.ADVAPI32(00000000), ref: 0028C38F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d54e338488f34055d433876f93b0415f9c9cd8120b609eedc403cce83cfe48be
Instruction ID: 4738ae4bee5f32f60d26d3d9d6da698ca282535552825ab34ef204091647ed27
Opcode Fuzzy Hash: d54e338488f34055d433876f93b0415f9c9cd8120b609eedc403cce83cfe48be
Instruction Fuzzy Hash: 1D025C746142019FD714DF28C895E2ABBE5EF89314F18C49DF84ACB2A2D731EC56CB61

Function 00278195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00278257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00278267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00278273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00278310
SetCurrentDirectoryW.KERNEL32(?), ref: 00278324
SetCurrentDirectoryW.KERNEL32(?), ref: 00278356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0027838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00278395

Strings

*.*, xrefs: 0027839B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5c69197f6291fa83c634ff62643d92503b8bfc92d589f420210a5b7da329f2fe
Instruction ID: e0a64cdc8e2ab870bec09fcdc79919d2311982fd8a38bbb179a1db156fd42273
Opcode Fuzzy Hash: 5c69197f6291fa83c634ff62643d92503b8bfc92d589f420210a5b7da329f2fe
Instruction Fuzzy Hash: 7E618CB15243459FC710EF64C8489AEB3E8FF89314F04895EF98987252DB31E965CF92

Function 0026D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

FindFirstFileW.KERNEL32(?,?), ref: 0026D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0026D1DD
MoveFileW.KERNEL32(?,?), ref: 0026D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0026D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026D237

Part of subcall function 0026D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0026D21C,?,?), ref: 0026D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0026D253
FindClose.KERNEL32(00000000), ref: 0026D264

Strings

\*.*, xrefs: 0026D0CD, 0026D0D6, 0026D0EB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 75e9c18b717e43ab1f5fbdbfaf04784604caa728a07e1ba74582b46e16c8c97f
Instruction ID: 7c848654d2a91b4ebbda4f86cbe7fb835233c97e3cb6f9191226c27024a3fe6b
Opcode Fuzzy Hash: 75e9c18b717e43ab1f5fbdbfaf04784604caa728a07e1ba74582b46e16c8c97f
Instruction Fuzzy Hash: 05615D31D1124D9BCF05EFA0D9929EEB7B9AF55300F6041A5E80677192EB305FA9CF60

Function 0027ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0027ED91
EmptyClipboard.USER32 ref: 0027ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0027EDAC
CloseClipboard.USER32 ref: 0027EEA3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 17f5f723f55607e18e956f5bdd5b5156062a8e7cba9a15a471fe8d44cae5dec8
Instruction ID: 3dc440c794734e8f9cd0f380f552a6ec422f1e281056b010e6f76c3d3a4c3af2
Opcode Fuzzy Hash: 17f5f723f55607e18e956f5bdd5b5156062a8e7cba9a15a471fe8d44cae5dec8
Instruction Fuzzy Hash: 0E41F071614212AFD720CF15E88CF19BBE4FF48328F25C49AE4198B6A2C731EC51CBA0

Function 0026E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
Part of subcall function 002616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
Part of subcall function 002616C3: GetLastError.KERNEL32 ref: 0026174A

ExitWindowsEx.USER32(?,00000000), ref: 0026E932

Strings

@, xrefs: 0026E925
, xrefs: 0026E920
, xrefs: 0026E95C
SeShutdownPrivilege, xrefs: 0026E902

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 59567dece5c336f30380f49ecd9546589a9631a8900523e1ee3adf91fc52023c
Instruction ID: 304f633ac261cd2fcc31529a72fc8b0a20e994b101c254442e4de0aa60936800
Opcode Fuzzy Hash: 59567dece5c336f30380f49ecd9546589a9631a8900523e1ee3adf91fc52023c
Instruction Fuzzy Hash: BF01D676631211ABFF5466B4AC8AFBB736C9F14750F260522FC02E21D2E5A15CE085A0

Function 00281204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00281276
WSAGetLastError.WSOCK32 ref: 00281283
bind.WSOCK32(00000000,?,00000010), ref: 002812BA
WSAGetLastError.WSOCK32 ref: 002812C5
closesocket.WSOCK32(00000000), ref: 002812F4
listen.WSOCK32(00000000,00000005), ref: 00281303
WSAGetLastError.WSOCK32 ref: 0028130D
closesocket.WSOCK32(00000000), ref: 0028133C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6e56593340565237e796d518ed714f59cfd4cdefabeae0f5fbd0fa5eb6694c16
Instruction ID: dd1842c31087add5be9d8ae4e64c739e82c61ccb238f28b376fd7eddebf6d3b6
Opcode Fuzzy Hash: 6e56593340565237e796d518ed714f59cfd4cdefabeae0f5fbd0fa5eb6694c16
Instruction Fuzzy Hash: 8141B3356102119FD710EF24D488B69BBE9BF46318F288189D8568F2DBC771EC92CBE1

Function 0023B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0023B9D4
_free.LIBCMT ref: 0023B9F8
_free.LIBCMT ref: 0023BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002A3700), ref: 0023BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0023BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002D1270,000000FF,?,0000003F,00000000,?), ref: 0023BC36
_free.LIBCMT ref: 0023BD4B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: af09bfec680bfe6687a789ca50fd847807d1a8091ac4c224ef9fcc0456fb0130
Instruction ID: 0a2fb2c593c1c02ea9f73f7b53fd53802d0b06312e6fc4475f1a4ff2799e1503
Opcode Fuzzy Hash: af09bfec680bfe6687a789ca50fd847807d1a8091ac4c224ef9fcc0456fb0130
Instruction Fuzzy Hash: 9FC14BF1E24215AFCB22DF789C45BAABBB9EF41310F14419BEA94D7251DB308E61CB50

Function 0026D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

FindFirstFileW.KERNEL32(?,?), ref: 0026D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0026D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0026D481
FindClose.KERNEL32(00000000), ref: 0026D498
FindClose.KERNEL32(00000000), ref: 0026D4A1

Strings

\*.*, xrefs: 0026D3F2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 217edb77a72acc4c4d3e5bf27aabd93806c0cab3a6a3ef44272d54bc7d834699
Instruction ID: c369c9f6a6a0b39d0092927713ab4bef54a45046d44f4ef926c3e4e67fc9acce
Opcode Fuzzy Hash: 217edb77a72acc4c4d3e5bf27aabd93806c0cab3a6a3ef44272d54bc7d834699
Instruction Fuzzy Hash: A53182315283459FC304EF64D8959AF77A8BE91310F844A1DF4D1531D2EB30AE69DB63

Function 0023E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0023E645

Strings

1#INF, xrefs: 0023F852
1#IND, xrefs: 0023F83D
1#QNAN, xrefs: 0023F84B
1#SNAN, xrefs: 0023F844

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c314f489ab77f10b59804579daa8b62ca372b3d6d37051438458a9349cd44e84
Instruction ID: caecc16030d62c46132a4f16895be630a36163e5a71ad5f0f8b4c88b85eec49e
Opcode Fuzzy Hash: c314f489ab77f10b59804579daa8b62ca372b3d6d37051438458a9349cd44e84
Instruction Fuzzy Hash: 4BC26BB1E286298FDF65CE28DD407EAB7B5EB44304F1541EAD80DE7280E774AE958F40

Function 0027648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002764DC
CoInitialize.OLE32(00000000), ref: 00276639
CoCreateInstance.OLE32(0029FCF8,00000000,00000001,0029FB68,?), ref: 00276650
CoUninitialize.OLE32 ref: 002768D4

Strings

.lnk, xrefs: 002764BA, 00276524, 002765E0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 80d67746938b94b7253302c3082237b1ef5f0c50003f0b1e80b650ba6bba08e2
Instruction ID: 0bf6f2df67c557656579f393d7c3bfe993c0dab109d23c0f87e69be151e7ab7d
Opcode Fuzzy Hash: 80d67746938b94b7253302c3082237b1ef5f0c50003f0b1e80b650ba6bba08e2
Instruction Fuzzy Hash: CFD16A715287019FC304DF24C885D6BB7E9FF98304F50896DF5998B2A2EB30E959CB92

Function 002822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002822E8

Part of subcall function 0027E4EC: GetWindowRect.USER32(?,?), ref: 0027E504

GetDesktopWindow.USER32 ref: 00282312
GetWindowRect.USER32(00000000), ref: 00282319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00282355
GetCursorPos.USER32(?), ref: 00282381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002823DF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 32f49451fa9e11a286ae004e1ecb9cbdaf189cccbd069d56b8ebb3b582349a1f
Instruction ID: 5ebbabdb7933a5776c440739a52277f1b006a89689fadd11e6ae4a4472e0095d
Opcode Fuzzy Hash: 32f49451fa9e11a286ae004e1ecb9cbdaf189cccbd069d56b8ebb3b582349a1f
Instruction Fuzzy Hash: 8931E376505315AFDB20EF54D849F5BB7E9FF84310F10091AF985A7181DB34E918CB92

Function 00279B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00279B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00279C8B

Part of subcall function 00273874: GetInputState.USER32 ref: 002738CB
Part of subcall function 00273874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00273966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00279BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00279C75

Strings

*.*, xrefs: 00279B5D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4fae808f6c74fd63f8eb84e938451373e22cd565f4ab5fbad847968268c592f1
Instruction ID: c6bdae87c018971171e747c277e7650ac72e38c0e7f92e2cc24fc3d3b5da2b22
Opcode Fuzzy Hash: 4fae808f6c74fd63f8eb84e938451373e22cd565f4ab5fbad847968268c592f1
Instruction Fuzzy Hash: 8B41697191430A9FDF15DF64D949AEE7BB4EF09314F24815AE809A3191D7309EE4CF60

Function 0021997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00219A4E
GetSysColor.USER32(0000000F), ref: 00219B23
SetBkColor.GDI32(?,00000000), ref: 00219B36

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 730842acfbafa2ec0f7f2f3b633877a155c8543fe9f102ede2170c9fcf9c49ac
Instruction ID: 4df060ef45dc90e63291c8373cba698a50b5f21fc53747539e8f959a6209b839
Opcode Fuzzy Hash: 730842acfbafa2ec0f7f2f3b633877a155c8543fe9f102ede2170c9fcf9c49ac
Instruction Fuzzy Hash: 25A13A70278401BEE7249E2CAC78EFB26DDDF56301B14010AF802C6A91CA769DF9C675

Function 00281806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
Part of subcall function 0028304E: _wcslen.LIBCMT ref: 0028309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0028185D
WSAGetLastError.WSOCK32 ref: 00281884
bind.WSOCK32(00000000,?,00000010), ref: 002818DB
WSAGetLastError.WSOCK32 ref: 002818E6
closesocket.WSOCK32(00000000), ref: 00281915

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0552754bea037944fee5c80252b646994d82b0b8320e5bfa4520270110b96407
Instruction ID: ece3afa10149c4ab1648603ab0a57c648391a281fc9d8826b4cf2c1a7aa32fb4
Opcode Fuzzy Hash: 0552754bea037944fee5c80252b646994d82b0b8320e5bfa4520270110b96407
Instruction Fuzzy Hash: 9E51C675A102009FE710EF24C8CAF6A77E9AB44718F548098F9055F3D3C771ADA2CBA1

Function 00291C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00291CC0
IsWindowEnabled.USER32 ref: 00291CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00291CDB
IsIconic.USER32 ref: 00291CE9
IsZoomed.USER32 ref: 00291CF7

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4c59fadfc994500b76cea1d84aea92fac946c4adc404245600cb807093bf34bc
Instruction ID: a7dd05ebb21e55a9296c8986415c701ca4b13938c604a272748a89168c558193
Opcode Fuzzy Hash: 4c59fadfc994500b76cea1d84aea92fac946c4adc404245600cb807093bf34bc
Instruction Fuzzy Hash: 1921B5717502139FDB208F1BD888B6A7BE5EF85315F29806AE846CB351CB71DC62CB91

Function 00208060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0020813C
VUUU, xrefs: 0020843C
VUUU, xrefs: 002083E8
VUUU, xrefs: 002083FA
VUUU, xrefs: 00245DF0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 46dd340bb041d4874ee5c11f64e6c5b01338ababc4b7e083b5ed2c5252b658a7
Instruction ID: d84a074567485f51afec8148eaa057087f7dffdcca1518150fc97d02290761a6
Opcode Fuzzy Hash: 46dd340bb041d4874ee5c11f64e6c5b01338ababc4b7e083b5ed2c5252b658a7
Instruction Fuzzy Hash: 57A2B470E2072ACBDF28CF58C8447AEB7B1BF45310F1581A6D895A7286DB709DA1CF51

Function 00268298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002682AA

Strings

(, xrefs: 002682F0
|, xrefs: 002682DA
tb,, xrefs: 002684F4

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb,$|
API String ID: 1659193697-4185060631
Opcode ID: 872dd4038ce1489e7b62b29e646647104916dd4536cc2f7178004a65ab54051c
Instruction ID: a44049b76034b658b3925d11b8cb51e8c90272bcba6dbc017fe5ff0b0ac11014
Opcode Fuzzy Hash: 872dd4038ce1489e7b62b29e646647104916dd4536cc2f7178004a65ab54051c
Instruction Fuzzy Hash: 39323774A106069FCB28CF19C080A6AB7F0FF48710B15C56EE49ADB3A1EB70E991CB40

Function 0026AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0026AAAC
SetKeyboardState.USER32(00000080), ref: 0026AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0026AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0026AB88

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 35d6a25e32b41630b8b85e92c44e860f4a1fa6f1561f9ed0d1d9b755b5cd695c
Instruction ID: 9c02e3bde8dce77f661e8516d4bb145a4b05739620f3fad1d8bfcc92213ec38b
Opcode Fuzzy Hash: 35d6a25e32b41630b8b85e92c44e860f4a1fa6f1561f9ed0d1d9b755b5cd695c
Instruction Fuzzy Hash: 6C312730A60249AEEB35CF648C05BFE7BAAAB65314F14421BE081621D0D3758DE1CB62

Function 0027CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0027CE89
GetLastError.KERNEL32(?,00000000), ref: 0027CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0027CEFE

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 50e0a069220b9ad181f5f5a9830179ffded317d449778ac7be87b17944fbba77
Instruction ID: 40a3799aa3728a2e44e42ab48651132b8b35ae23d68e7cf3879b2f355b1b7a95
Opcode Fuzzy Hash: 50e0a069220b9ad181f5f5a9830179ffded317d449778ac7be87b17944fbba77
Instruction Fuzzy Hash: 3021BDB1520706ABEB20DFA5D948BA6B7FCEF50314F20842EE64A92151E770EE548B64

Function 00275C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00275CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00275D17
FindClose.KERNEL32(?), ref: 00275D5F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 2602d7001fef77bab9b3ce9b5a049f216e48bdb6a6f1cdfb23bfb00e585d5cbf
Instruction ID: 230a098efdba6010786201ec0803e39fc3b00e708d542b2ac950cb0ec763400e
Opcode Fuzzy Hash: 2602d7001fef77bab9b3ce9b5a049f216e48bdb6a6f1cdfb23bfb00e585d5cbf
Instruction Fuzzy Hash: 905188746147029FC714CF28C488A96B7E4FF09314F14855EE95A8B3A2CB70E864CF91

Function 00232622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0023271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00232724
UnhandledExceptionFilter.KERNEL32(?), ref: 00232731

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a5fad59ce19c0776a29c247aecf3f6265b950eb8ff30a8a100e1ce29239474c0
Instruction ID: 175b198d0b54ddd57eb95c44ce6e2c2f6340899e342f4f7d011b7c0a3b0b990b
Opcode Fuzzy Hash: a5fad59ce19c0776a29c247aecf3f6265b950eb8ff30a8a100e1ce29239474c0
Instruction Fuzzy Hash: FA31B574911229ABCB21DF64EC8979DB7B8BF08310F5041EAE81CA7261E7709F958F45

Function 002751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00275238
SetErrorMode.KERNEL32(00000000), ref: 002752A1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 7ed8b8166d5d9fd347b97840701a5536efae56948fe01f84bcb9c1956df45642
Instruction ID: b47063a02b30b12762fe9c13b57225eb004c032e6209844cd1b62c2e941160f8
Opcode Fuzzy Hash: 7ed8b8166d5d9fd347b97840701a5536efae56948fe01f84bcb9c1956df45642
Instruction Fuzzy Hash: 21318075A10619DFDB00DF54D888EADBBF4FF08314F148099E809AB3A2CB71E855CB61

Function 002616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0021FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00220668
Part of subcall function 0021FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00220685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0026173A
GetLastError.KERNEL32 ref: 0026174A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f196f9dcba043f71b7d25501078e86c2ecd32852c29ee1990a9b6e8c97066781
Instruction ID: 9505c85377d909eb9d238a240f560d44e2511dd911f9ac68178231ef38f278f8
Opcode Fuzzy Hash: f196f9dcba043f71b7d25501078e86c2ecd32852c29ee1990a9b6e8c97066781
Instruction Fuzzy Hash: EA1191B2424305AFD7189F54ECC6DAAB7FDEB44714B24852EE05657241EB70BCA18B20

Function 0026D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0026D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0026D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0026D650

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4a04c5385163d2548193428399d42e815e43863aebef412bfaa4f3c6a01e531f
Instruction ID: 8377aeb8b1299e901bfae99a478c98041547cd5adb0bd1664d48d7a2a082bd97
Opcode Fuzzy Hash: 4a04c5385163d2548193428399d42e815e43863aebef412bfaa4f3c6a01e531f
Instruction Fuzzy Hash: 3F118475E05228BFDB108F95EC49FAFBFBCEB45B50F208156F908E7290D6704A058BA1

Function 00261663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0026168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002616A1
FreeSid.ADVAPI32(?), ref: 002616B1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 44400746c314a44b21695ec271bdfadd0fdd3ba4b8f58840392490ab24f5a9b0
Instruction ID: d8db1d0d108a6cd3b580b9b0d1e8b041f68479eb148c561b0f1c4920ed428b50
Opcode Fuzzy Hash: 44400746c314a44b21695ec271bdfadd0fdd3ba4b8f58840392490ab24f5a9b0
Instruction Fuzzy Hash: 06F0F475950309FBDB00DFE4DD89AAEBBBCEB08604F504565E501E2191E774AA548A50

Function 0023C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0023C36C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 91ff2dcc790373d26a55f4b4a4e1689027600dcfe809016c70b06687ef5550d6
Instruction ID: b9b7e50f025246183afdbc077eef236286e8ff8747b0d8c32c1f59eee25af277
Opcode Fuzzy Hash: 91ff2dcc790373d26a55f4b4a4e1689027600dcfe809016c70b06687ef5550d6
Instruction Fuzzy Hash: A4416CB2910219AFCB24EFB9DC4CEBB7778EB84314F2042A9F905E7180E670AD50CB50

Function 0025D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0025D28C

Strings

X64, xrefs: 0025D2A8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f4c2832eeef81a9d7d986b25419eea609fc3c7c0d14a79ba4ea48994428c03fb
Instruction ID: 2108f4551cf6f1aa3cef5bc8a15689748afd6871d35a2640900a6ae333e02347
Opcode Fuzzy Hash: f4c2832eeef81a9d7d986b25419eea609fc3c7c0d14a79ba4ea48994428c03fb
Instruction Fuzzy Hash: F0D0C9B482511DEFCB90CB90EC88DDEB3BCBB14305F100152F506E2000D7B095488F20

Function 0022CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: e3c507fa5afdba5d94ef7283280647b1747e20863589cc71aff50f26374ba78a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: DF023D71E10129AFDF14CFA9D9806ADFBF1EF48314F25416AD819E7384D731AA51CB80

Function 0020CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00250C40
p#-, xrefs: 0020CF7F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#-
API String ID: 0-336391000
Opcode ID: aed66ec9ac6015ef5686a1e3973408dea558829cbd49eca625d8a425a5c5fbdd
Instruction ID: d5710df6791532abb78029f175ab46fadb13570ab512456800e0066f1655429c
Opcode Fuzzy Hash: aed66ec9ac6015ef5686a1e3973408dea558829cbd49eca625d8a425a5c5fbdd
Instruction Fuzzy Hash: D2329CB092031ADBDF14DF90C885AEDB7B5FF05304F24415AE806AB2D2DB71AE69CB51

Function 002768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00276918
FindClose.KERNEL32(00000000), ref: 00276961

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3f15ce5778ed4360c56ce2296d2189bf87421f98dad41055adf42a2b0ce93228
Instruction ID: e9bcf443694005d575a2debf81a2dcf6271b998ba1c14d9c89dd524453f51cec
Opcode Fuzzy Hash: 3f15ce5778ed4360c56ce2296d2189bf87421f98dad41055adf42a2b0ce93228
Instruction Fuzzy Hash: F511D071614601DFC710CF29D888A16BBE0FF84328F14C69AE9698F6A2CB30EC05CB91

Function 002737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00284891,?,?,00000035,?), ref: 002737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00284891,?,?,00000035,?), ref: 002737F4

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8b8d1886517dbb21f4febd141f347084442352fc29c3fb4d02a75ee11065b2d9
Instruction ID: 9755b86fd64ed124af6ad8a0c80294710a17efc9c6c3566967deaaf374ba4c17
Opcode Fuzzy Hash: 8b8d1886517dbb21f4febd141f347084442352fc29c3fb4d02a75ee11065b2d9
Instruction Fuzzy Hash: 7AF0E5B1A143292AEB2057669C4DFEB7BAEEFC4761F000166F509D2282D9709944CAB0

Function 0026B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0026B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0026B270

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0bc4ea288e117efce7c4ca6592e052d8bc9f47467341112fb040aab8bc233c6d
Instruction ID: d5b5d43994a7484c8f84f62c7549b0bca8c6b19f9552925111c8e879fee0d7e9
Opcode Fuzzy Hash: 0bc4ea288e117efce7c4ca6592e052d8bc9f47467341112fb040aab8bc233c6d
Instruction Fuzzy Hash: 85F01D7181428EABDB059FA0D805BEE7BB4FF04305F10801AF955A5192D3798651DF94

Function 002610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002611FC), ref: 002610D4
CloseHandle.KERNEL32(?,?,002611FC), ref: 002610E9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7cedfe7cfb5a0748a5225fb9858b67b1b93c3abdf07b29035a158d2f9698941c
Instruction ID: d1d87a48abf19fce67c79a44b2b950b98f6c38020146cc892235817a9a0e9d0c
Opcode Fuzzy Hash: 7cedfe7cfb5a0748a5225fb9858b67b1b93c3abdf07b29035a158d2f9698941c
Instruction Fuzzy Hash: 25E0BF72028611AEE7652B51FD09EB777E9EB04310F24882EF5A5804B1DB626CF0DB54

Function 0023676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00236766,?,?,00000008,?,?,0023FEFE,00000000), ref: 00236998

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ee9956abc92a82466a7e15ef4c0dac404ad5417e614a8c3da3248d31fa72c17d
Instruction ID: 57f2964c0202b4eed30d01d21cd88f2640729a013884cf829c6b8bbb6c40747e
Opcode Fuzzy Hash: ee9956abc92a82466a7e15ef4c0dac404ad5417e614a8c3da3248d31fa72c17d
Instruction Fuzzy Hash: 31B17DB1620609EFD715CF28C48AB647BE4FF09364F25C658E899CF2A2C335D9A5CB40

Function 0021B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0025851F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1ebb298d388e5596745a29918967fbb2affb455956f804fa875e06beba9a77e4
Instruction ID: 4e34c42dc4ccf22a6540ff7a190976bc360c04e16a47e7b9b53a9a8fe1935157
Opcode Fuzzy Hash: 1ebb298d388e5596745a29918967fbb2affb455956f804fa875e06beba9a77e4
Instruction Fuzzy Hash: BF128F719202299FDB25CF58C8806EEB7F5FF58310F14819AE809EB251EB709E95CF90

Function 0027EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0027EABD

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d6efd647adadcde522955ede0652643037c9020c8d653b7b44321484b29acbd1
Instruction ID: 127ea2d72cea27f071e6b57e7015f05bcac37c05c5c57bd04ee99293d9857a1a
Opcode Fuzzy Hash: d6efd647adadcde522955ede0652643037c9020c8d653b7b44321484b29acbd1
Instruction Fuzzy Hash: ABE012712202059FC710DF59D804D5AB7D9AF98760F118456FC49C7291DA70E8508BA1

Function 002209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002203EE), ref: 002209DA

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 02470db930c495d5e270ae193fe86c8c445a0bb3d0c28595abe5fb1437522263
Instruction ID: 02d9af1e46af3c11420e80196b0d448b43e8d2f0f805d5443aa388ecd266ec9c
Opcode Fuzzy Hash: 02470db930c495d5e270ae193fe86c8c445a0bb3d0c28595abe5fb1437522263
Instruction Fuzzy Hash:

Function 0022781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0022798B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6144aff7cb5cfcee4890abafac4d36b27463aa07c097e35cb4e8ebba113544a9
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 9151567163D7377ADB388DE8B85E7BE23899B02300F180519E982D7282C655DEB1E753

Function 00272046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&-, xrefs: 00272053

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: 0&-
API String ID: 0-1563157459
Opcode ID: 81dcc3ff8be4a5839db5bb3295c1243a7c2a539f5e23ba7f5f729f886139721e
Instruction ID: 5c7f4188d48a7cb3050ba8a27221ec6e62fa0b4eedebabcf83104e7b67812cee
Opcode Fuzzy Hash: 81dcc3ff8be4a5839db5bb3295c1243a7c2a539f5e23ba7f5f729f886139721e
Instruction Fuzzy Hash: 6E2196326216118BDB28CF79D81267A73E5A764310F198A2EE4A7C37D0DE35AD08CB90

Function 00236DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535fbc71ca8415ee94fb6bdd6aa4220f0243e7796c943db3924fa4baa74ffea0
Instruction ID: 3b3579c17e7b9577025c8fff1b9cdb877a185b3b5f4f8b5150c2e8e63e1afc65
Opcode Fuzzy Hash: 535fbc71ca8415ee94fb6bdd6aa4220f0243e7796c943db3924fa4baa74ffea0
Instruction Fuzzy Hash: 083214A1D39F018EDB239638D926335A649AFB73C5F15C737E81AB5DA6EF29C4834100

Function 0021CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5956f5abd842e8f9f75d7addfe4be7970914f353435c64862c0b541b8bb791f
Instruction ID: 0228424eedf97e14405bb6d9e0b5d9d0255434fa95b1baf6c04aaea86b2cfa42
Opcode Fuzzy Hash: f5956f5abd842e8f9f75d7addfe4be7970914f353435c64862c0b541b8bb791f
Instruction Fuzzy Hash: CC32E635A3430A8FCF24CE68C4946BD7BE1EB85316F388567DC4997291F230DDA9DA48

Function 00207920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b0a8110e35a285451584b3d5974fd7dc8f248d502915107b2c385ae72c4732
Instruction ID: b97c11a3ecfb4e6101cc6964f2cb0397c085f21b144f3f0752ffbbff4a8ac62b
Opcode Fuzzy Hash: 43b0a8110e35a285451584b3d5974fd7dc8f248d502915107b2c385ae72c4732
Instruction Fuzzy Hash: 8522D270E2061ADFDF18CF64D881AAEB7F5FF48300F144569E852A7292EB75AD60CB50

Function 002091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb79a9d4ed37c1bc0a633f26fcfd4f51a490ae5079abd32feab3f01c5d16527
Instruction ID: 021a48e6260d5bfa758b14a930e83a828341272bad3f999da1dc6cd5f2d243cc
Opcode Fuzzy Hash: 2cb79a9d4ed37c1bc0a633f26fcfd4f51a490ae5079abd32feab3f01c5d16527
Instruction Fuzzy Hash: BE02D7B0E20216EFDF04DF54D981AAEB7B5FF54300F118169E8169B291EB71AA70CF81

Function 00221C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 899cef7209ab897750f7dc496b8e619ec1108479a37621ad419802244a44f070
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EE919A725280B35ADB2D4ABDA53483EFFE15A623A131A079ED4F2CB1C5FE14C974D620

Function 002219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 96a177e45dda001515ada277d0e6c5f0e272d10ae9495c4f775d0fca0e227d9b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C59197722290F359DB2D4ABAA57483DFFF15AA23A131A07AED4F2CA1C1FD14C574D620

Function 00227A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bbed87b89ea7335b48e9b5d599a55c520fef5b8c9e6a0d86f44881fcc99b40e
Instruction ID: 7161a305cfb10834d3a10b5ccc49c4b11c7f10ca4ceeebf37f373a72d25edeb1
Opcode Fuzzy Hash: 3bbed87b89ea7335b48e9b5d599a55c520fef5b8c9e6a0d86f44881fcc99b40e
Instruction Fuzzy Hash: 7361673123C33BB6DE389DE8B895BBE2394EF41318F10091AF842CB291DA55DE728715

Function 00227CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc0b233611ccdcfade3b9364949c343be711435789ee85433c021b88957de7a
Instruction ID: 6f5830630f9f2d61815128a921cb47bf32e8c204c2b5dfe8a3c77f41867bcfab
Opcode Fuzzy Hash: 3bc0b233611ccdcfade3b9364949c343be711435789ee85433c021b88957de7a
Instruction Fuzzy Hash: 2761893123C73B76DA384EE87855BBF2388AF42700F100859E842DB281DB52ED72C666

Function 00221706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: cce3cd50c4cb47b266466a901af235747817fbf257f83a280e059eeafad34f06
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F28198335280B31DEB2D4AB9957483EFFE15AA23A131A079DD4F2CB1C1EE14C974D620

Function 00282ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00282B30
DeleteObject.GDI32(00000000), ref: 00282B43
DestroyWindow.USER32 ref: 00282B52
GetDesktopWindow.USER32 ref: 00282B6D
GetWindowRect.USER32(00000000), ref: 00282B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00282CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00282CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282CF8
GetClientRect.USER32(00000000,?), ref: 00282D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00282D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D80
GlobalLock.KERNEL32(00000000), ref: 00282D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282D98
GlobalUnlock.KERNEL32(00000000), ref: 00282DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282DA8
GlobalFree.KERNEL32(00000000), ref: 00282DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0029FC38,00000000), ref: 00282DDB
GlobalFree.KERNEL32(00000000), ref: 00282DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00282E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00282E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00282E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0028303F

Strings

static, xrefs: 00282D3A, 00282E91
AutoIt v3, xrefs: 00282CF2
DISPLAY, xrefs: 00282EA2
, xrefs: 00282FC5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 708c9c3d063f1295e109d21a7d507030b666046ac76d4a7d0ded4b44e7c21004
Instruction ID: 9f0d5f537120d120c06474c330d84b27622552daa6f2ec7fb9ad17ff78d29b4e
Opcode Fuzzy Hash: 708c9c3d063f1295e109d21a7d507030b666046ac76d4a7d0ded4b44e7c21004
Instruction Fuzzy Hash: 38028875A11209EFDB14DFA4DC89EAE7BB9EF48314F108159F915AB2A1CB70AD10CF60

Function 002970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0029712F
GetSysColorBrush.USER32(0000000F), ref: 00297160
GetSysColor.USER32(0000000F), ref: 0029716C
SetBkColor.GDI32(?,000000FF), ref: 00297186
SelectObject.GDI32(?,?), ref: 00297195
InflateRect.USER32(?,000000FF,000000FF), ref: 002971C0
GetSysColor.USER32(00000010), ref: 002971C8
CreateSolidBrush.GDI32(00000000), ref: 002971CF
FrameRect.USER32(?,?,00000000), ref: 002971DE
DeleteObject.GDI32(00000000), ref: 002971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00297230
FillRect.USER32(?,?,?), ref: 00297262
GetWindowLongW.USER32(?,000000F0), ref: 00297284

Part of subcall function 002973E8: GetSysColor.USER32(00000012), ref: 00297421
Part of subcall function 002973E8: SetTextColor.GDI32(?,?), ref: 00297425
Part of subcall function 002973E8: GetSysColorBrush.USER32(0000000F), ref: 0029743B
Part of subcall function 002973E8: GetSysColor.USER32(0000000F), ref: 00297446
Part of subcall function 002973E8: GetSysColor.USER32(00000011), ref: 00297463
Part of subcall function 002973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00297471
Part of subcall function 002973E8: SelectObject.GDI32(?,00000000), ref: 00297482
Part of subcall function 002973E8: SetBkColor.GDI32(?,00000000), ref: 0029748B
Part of subcall function 002973E8: SelectObject.GDI32(?,?), ref: 00297498
Part of subcall function 002973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002974B7
Part of subcall function 002973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002974CE
Part of subcall function 002973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002974DB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4bbbd849c50efa51691e14ec519ce15bb669cf66561214054675def9cd568eb5
Instruction ID: 306d49d96c9f46b110fc587ac304982ac8aa5653585566d5da9949d44cc2e65d
Opcode Fuzzy Hash: 4bbbd849c50efa51691e14ec519ce15bb669cf66561214054675def9cd568eb5
Instruction Fuzzy Hash: FDA19272428301AFDB009F60EC4CE5B7BA9FF89320F600A1AF966A61E1D771E954CF51

Function 00218D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00218E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00256AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00256AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00256F43

Part of subcall function 00218F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00218BE8,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218FC5

SendMessageW.USER32(?,00001053), ref: 00256F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00256F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00256FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00256FB7

Strings

0, xrefs: 00256DCF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 09f9ff3f95f3462f65badff6e3fa59383a48f778995f675564795a3bb350b084
Instruction ID: 6e7f7a804f3281450ac733b170aa1cc6c8fae76e64fd25e270fda6915ead160a
Opcode Fuzzy Hash: 09f9ff3f95f3462f65badff6e3fa59383a48f778995f675564795a3bb350b084
Instruction Fuzzy Hash: 6812CD30621202AFDB25CF14D89CBA5B7F5FB54302F94442AF8859B662CB31ACB5CF95

Function 00282711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0028273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0028286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00282900
GetClientRect.USER32(00000000,?), ref: 0028290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00282955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00282964
GetStockObject.GDI32(00000011), ref: 00282974
SelectObject.GDI32(00000000,00000000), ref: 00282978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00282988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00282991
DeleteDC.GDI32(00000000), ref: 0028299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00282A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00282A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00282A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00282A77
GetStockObject.GDI32(00000011), ref: 00282A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00282A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00282A97

Strings

msctls_progress32, xrefs: 00282A13
static, xrefs: 0028294F, 00282A71
AutoIt v3, xrefs: 002828F8
DISPLAY, xrefs: 0028295A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1b604673c0af74597684b826d20eaa6e4ebb9dabd9ab51b6e242b726bb565bf8
Instruction ID: 151616e88d5c8b074f565b57e2972f00e1864d721f9505f218909c94f6beea59
Opcode Fuzzy Hash: 1b604673c0af74597684b826d20eaa6e4ebb9dabd9ab51b6e242b726bb565bf8
Instruction Fuzzy Hash: 9CB17A75A11205BFEB14DFA8DC4AFAEBBA9EB08710F108155F914E72D1D770AD50CBA0

Function 00274ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00274AED
GetDriveTypeW.KERNEL32(?,0029CB68,?,\\.\,0029CC08), ref: 00274BCA
SetErrorMode.KERNEL32(00000000,0029CB68,?,\\.\,0029CC08), ref: 00274D36

Strings

\\.\, xrefs: 00274B3F
ATAPI, xrefs: 00274C91
SCSI, xrefs: 00274C8A
PhysicalDrive, xrefs: 00274B76
MMC, xrefs: 00274CDE
Fixed, xrefs: 00274C09
Fibre, xrefs: 00274CAD
Network, xrefs: 00274C02
SSA, xrefs: 00274CA6
ATA, xrefs: 00274C98
iSCSI, xrefs: 00274CC2
RAMDisk, xrefs: 00274BF4
Unknown, xrefs: 00274BED, 00274C83
CDROM, xrefs: 00274BFB
1394, xrefs: 00274C9F
Virtual, xrefs: 00274CE5
FileBackedVirtual, xrefs: 00274CEC
SAS, xrefs: 00274CC9
Removable, xrefs: 00274C10, 00274C15
USB, xrefs: 00274CB4
SATA, xrefs: 00274CD0
SSD, xrefs: 00274C4A
RAID, xrefs: 00274CBB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e6a2526a357866a9c4b58fd47fe29c1ee2d0004b74a2f4ef05d00fd649a2dbf2
Instruction ID: bddc948a7365641b362543c82940fb05e3b7329b2a633d046229cf88f419850e
Opcode Fuzzy Hash: e6a2526a357866a9c4b58fd47fe29c1ee2d0004b74a2f4ef05d00fd649a2dbf2
Instruction Fuzzy Hash: B561A2316352069BCB15EF24C985E6977A0AF06304B24C21FF80BAB692DB71EDB1DB51

Function 002973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00297421
SetTextColor.GDI32(?,?), ref: 00297425
GetSysColorBrush.USER32(0000000F), ref: 0029743B
GetSysColor.USER32(0000000F), ref: 00297446
CreateSolidBrush.GDI32(?), ref: 0029744B
GetSysColor.USER32(00000011), ref: 00297463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00297471
SelectObject.GDI32(?,00000000), ref: 00297482
SetBkColor.GDI32(?,00000000), ref: 0029748B
SelectObject.GDI32(?,?), ref: 00297498
InflateRect.USER32(?,000000FF,000000FF), ref: 002974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0029752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00297554
InflateRect.USER32(?,000000FD,000000FD), ref: 00297572
DrawFocusRect.USER32(?,?), ref: 0029757D
GetSysColor.USER32(00000011), ref: 0029758E
SetTextColor.GDI32(?,00000000), ref: 00297596
DrawTextW.USER32(?,002970F5,000000FF,?,00000000), ref: 002975A8
SelectObject.GDI32(?,?), ref: 002975BF
DeleteObject.GDI32(?), ref: 002975CA
SelectObject.GDI32(?,?), ref: 002975D0
DeleteObject.GDI32(?), ref: 002975D5
SetTextColor.GDI32(?,?), ref: 002975DB
SetBkColor.GDI32(?,?), ref: 002975E5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 591a4a731e45ba87e6f0d93a2892ddbce915ae52ac6dc37fe719338a7bc5de1f
Instruction ID: a7669c2c6deabc6563425a5cf208dc69b759647cbdd3b4893c1b6303fd375be4
Opcode Fuzzy Hash: 591a4a731e45ba87e6f0d93a2892ddbce915ae52ac6dc37fe719338a7bc5de1f
Instruction Fuzzy Hash: 87616D72910219AFDF019FA4EC49EEEBFB9EB08320F214116F915BB2A1D7709950CF90

Function 00290FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00291128
GetDesktopWindow.USER32 ref: 0029113D
GetWindowRect.USER32(00000000), ref: 00291144
GetWindowLongW.USER32(?,000000F0), ref: 00291199
DestroyWindow.USER32(?), ref: 002911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0029120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0029121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00291232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00291245
IsWindowVisible.USER32(00000000), ref: 002912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002912D0
GetWindowRect.USER32(00000000,?), ref: 002912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0029130E
GetMonitorInfoW.USER32(00000000,?), ref: 00291328
CopyRect.USER32(?,?), ref: 0029133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002913AA

Strings

(, xrefs: 0029131B
tooltips_class32, xrefs: 002911E6
0, xrefs: 002910D3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 93c31b664d82a4ed151a39726423f7f781830d978b65ed7b1b91e906441dd325
Instruction ID: 3a8dee615b0c2773bb1fd6df9105d14bad3c52cb55416420e35c2937de7011b6
Opcode Fuzzy Hash: 93c31b664d82a4ed151a39726423f7f781830d978b65ed7b1b91e906441dd325
Instruction Fuzzy Hash: 20B1BE71614342AFDB10DF25C888B6ABBE4FF88354F008959F9999B2A1C731E864CF91

Function 00290241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002902E5
_wcslen.LIBCMT ref: 0029031F
_wcslen.LIBCMT ref: 00290389
_wcslen.LIBCMT ref: 002903F1
_wcslen.LIBCMT ref: 00290475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00290504

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

Part of subcall function 0026223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00262258
Part of subcall function 0026223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0026228A

Strings

SELECT, xrefs: 00290548
GETTEXT, xrefs: 002903EC, 00290407
DESELECT, xrefs: 0029059C
FINDITEM, xrefs: 00290627
SELECTCLEAR, xrefs: 0029052D
GETSELECTEDCOUNT, xrefs: 00290470, 0029048B
GETITEMCOUNT, xrefs: 00290316, 00290337
GETSELECTED, xrefs: 002905E1
ISSELECTED, xrefs: 002904DD
SELECTINVERT, xrefs: 0029057E
GETSUBITEMCOUNT, xrefs: 00290384, 0029039F
VIEWCHANGE, xrefs: 00290675
SELECTALL, xrefs: 00290515

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 395ce7d143d021461ea89b52a943b29b08556880d5fc7da69313923cc666dc0b
Instruction ID: 5da908fdb6ebfd122a3b8be21a46ce18003103a66577f81500e6ab8b24217a97
Opcode Fuzzy Hash: 395ce7d143d021461ea89b52a943b29b08556880d5fc7da69313923cc666dc0b
Instruction Fuzzy Hash: BFE1A1312383068FCB14DF24C99092AB7E6BFD8714B54466DF8969B2A2DB30ED65CF41

Function 00218891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00218968
GetSystemMetrics.USER32(00000007), ref: 00218970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0021899B
GetSystemMetrics.USER32(00000008), ref: 002189A3
GetSystemMetrics.USER32(00000004), ref: 002189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00218A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00218A3C
GetClientRect.USER32(00000000,000000FF), ref: 00218A5A
GetStockObject.GDI32(00000011), ref: 00218A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00218A81

Part of subcall function 0021912D: GetCursorPos.USER32(?), ref: 00219141
Part of subcall function 0021912D: ScreenToClient.USER32(00000000,?), ref: 0021915E
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000001), ref: 00219183
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000002), ref: 0021919D

SetTimer.USER32(00000000,00000000,00000028,002190FC), ref: 00218AA8

Strings

AutoIt v3 GUI, xrefs: 00218A20

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 538c454da999f77272bf9e916066dbbad9e940b5624102f758e2ea457961280a
Instruction ID: 2d8c93002c7d285d02646a02be7432f25b26cfe10bccf88904c270d42357ecbf
Opcode Fuzzy Hash: 538c454da999f77272bf9e916066dbbad9e940b5624102f758e2ea457961280a
Instruction Fuzzy Hash: 72B17031A1020AAFDB14DFA8DC99BEE7BB5FB48315F11421AFA15E7290DB709860CF54

Function 00260D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
Part of subcall function 002610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
Part of subcall function 002610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
Part of subcall function 002610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
Part of subcall function 002610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00260DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00260E29
GetLengthSid.ADVAPI32(?), ref: 00260E40
GetAce.ADVAPI32(?,00000000,?), ref: 00260E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00260E96
GetLengthSid.ADVAPI32(?), ref: 00260EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00260EB5
HeapAlloc.KERNEL32(00000000), ref: 00260EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00260EDD
CopySid.ADVAPI32(00000000), ref: 00260EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00260F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00260F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00260F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F6E
HeapFree.KERNEL32(00000000), ref: 00260F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F7E
HeapFree.KERNEL32(00000000), ref: 00260F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00260F8E
HeapFree.KERNEL32(00000000), ref: 00260F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00260FA1
HeapFree.KERNEL32(00000000), ref: 00260FA8

Part of subcall function 00261193: GetProcessHeap.KERNEL32(00000008,00260BB1,?,00000000,?,00260BB1,?), ref: 002611A1
Part of subcall function 00261193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260BB1,?), ref: 002611A8
Part of subcall function 00261193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00260BB1,?), ref: 002611B7

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 11a481cfd67781697a99df28221d1cae506c773850cf9b0ea3bc34958a34f033
Instruction ID: 8a744f30febf2ac4fe290bfe8c3e3905e7fefb689dd2b3567cdc8c4c780ddc5d
Opcode Fuzzy Hash: 11a481cfd67781697a99df28221d1cae506c773850cf9b0ea3bc34958a34f033
Instruction Fuzzy Hash: 71717B7291021AEBDF20DFA5EC88FAFBBB8BF04300F144125F919A6191DB319965DB60

Function 0028C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0029CC08,00000000,?,00000000,?,?), ref: 0028C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0028C5A4
_wcslen.LIBCMT ref: 0028C5F4
_wcslen.LIBCMT ref: 0028C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0028C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0028C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0028C84D
RegCloseKey.ADVAPI32(?), ref: 0028C881
RegCloseKey.ADVAPI32(00000000), ref: 0028C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0028C960

Strings

REG_DWORD, xrefs: 0028C804
REG_MULTI_SZ, xrefs: 0028C6F5
REG_BINARY, xrefs: 0028C913
REG_QWORD, xrefs: 0028C8C3
REG_EXPAND_SZ, xrefs: 0028C5CD
REG_SZ, xrefs: 0028C644

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8a5aefecbdb4113dd0abe7a651c0458cf0e823b26da211a1fd9506cbbf09276f
Instruction ID: de11a5bb8fba220eabef41395d182a58df17e35ef935f04ab98c86e51d24e38f
Opcode Fuzzy Hash: 8a5aefecbdb4113dd0abe7a651c0458cf0e823b26da211a1fd9506cbbf09276f
Instruction Fuzzy Hash: BB1268356242019FCB14EF14C895A2ABBE5EF88714F14889DF84A9B3A2DB30FC51CF91

Function 0029091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002909C6
_wcslen.LIBCMT ref: 00290A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00290A54
_wcslen.LIBCMT ref: 00290A8A
_wcslen.LIBCMT ref: 00290B06
_wcslen.LIBCMT ref: 00290B81

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

Part of subcall function 00262BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00262BFA

Strings

SELECT, xrefs: 00290D11
GETTEXT, xrefs: 00290C97
GETSELECTED, xrefs: 00290C4E
GETTOTALCOUNT, xrefs: 002909F2, 00290A17
EXISTS, xrefs: 00290B7C, 00290B97
UNCHECK, xrefs: 00290D3E
GETITEMCOUNT, xrefs: 00290C1E
COLLAPSE, xrefs: 00290B01, 00290B1C
EXPAND, xrefs: 00290BF8
ISCHECKED, xrefs: 00290CE1
CHECK, xrefs: 00290A85, 00290AA0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c2cc53a7f0cb94630ae541b7a766b39dfe56fc0ddf086978e7ed7e657e25f104
Instruction ID: b700165ca8f8dc0612d83177d9db208a322864ae99466d5763bf3821efdb569a
Opcode Fuzzy Hash: c2cc53a7f0cb94630ae541b7a766b39dfe56fc0ddf086978e7ed7e657e25f104
Instruction Fuzzy Hash: 48E18D312287069FCB14DF24C49096AB7E1FF98318B14895DF8969B3A2D730EDA5CF91

Function 0028C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
_wcslen.LIBCMT ref: 0028C9F1
_wcslen.LIBCMT ref: 0028CA68
_wcslen.LIBCMT ref: 0028CA9E
_wcslen.LIBCMT ref: 0028CAF9
_wcslen.LIBCMT ref: 0028CB2F
_wcslen.LIBCMT ref: 0028CB7F

Strings

HKCC, xrefs: 0028CBAC
HKEY_CURRENT_CONFIG, xrefs: 0028CB79, 0028CB7E
HKCR, xrefs: 0028CB29, 0028CB2E
HKCU, xrefs: 0028CBCE
HKEY_USERS, xrefs: 0028CBDF
HKU, xrefs: 0028CBF0
HKEY_CLASSES_ROOT, xrefs: 0028CAF3, 0028CAF8
HKLM, xrefs: 0028CA98, 0028CA9D
HKEY_CURRENT_USER, xrefs: 0028CBBD
HKEY_LOCAL_MACHINE, xrefs: 0028CA62, 0028CA67

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 54baacbc45f7954de1f9ed1cd004d4a9c3a2e7b4a3866fc18b548d3ebb573b67
Instruction ID: c30036a0b2a9081a694331fc2a296c1a0c2fd3ddf9f858793c28ab8cac981588
Opcode Fuzzy Hash: 54baacbc45f7954de1f9ed1cd004d4a9c3a2e7b4a3866fc18b548d3ebb573b67
Instruction Fuzzy Hash: FE71253663152B8BCB20FE7CDD41ABA3395AB60754B310229F866972C5E771CDB487B0

Function 0029833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029835A
_wcslen.LIBCMT ref: 0029836E
_wcslen.LIBCMT ref: 00298391
_wcslen.LIBCMT ref: 002983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00295BF2), ref: 0029844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298501
FreeLibrary.KERNEL32(?), ref: 0029850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0029851D
DestroyIcon.USER32(?,?,?,?,?,00295BF2), ref: 0029852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00298549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00298555

Strings

.icl, xrefs: 00298368
.dll, xrefs: 002983AB
.exe, xrefs: 00298388

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6b4a1f24850bf7dd12b85ac5bdb9ce7440abc589a461e61d5409cc638e8812e4
Instruction ID: d34085eb33f0035902aab4003a28af4ea9b3f8209206d4e1a55a627ff801a586
Opcode Fuzzy Hash: 6b4a1f24850bf7dd12b85ac5bdb9ce7440abc589a461e61d5409cc638e8812e4
Instruction Fuzzy Hash: 8F61F271920216BFEF14DF64DC45BBE77A8BF05720F60460AF815D60D1DBB4A9A4CBA0

Function 00207778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00245153
', xrefs: 00245169
Bad directive syntax error, xrefs: 0024519A
#OnAutoItStartRegister, xrefs: 00207817
#pragma compile, xrefs: 002077D3
#comments-end, xrefs: 002078D9
Unterminated group of comments, xrefs: 0024528C
#comments-start, xrefs: 0020785F, 002078B1
#notrayicon, xrefs: 002077E7
#requireadmin, xrefs: 002077FF
#cs, xrefs: 00207873, 002078C5
#ce, xrefs: 002078ED
#include, xrefs: 00207847
#include-once, xrefs: 0020782F
Cannot parse #include, xrefs: 00245279

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d2da3d9974d19a9fa66543d4b05a287d04a1de9c23e3755b75d985d210108921
Instruction ID: 2c11021c0e6b86ccddffe0785ca6fc5b6b2534ae8fda5ba947eeef5ae4d86954
Opcode Fuzzy Hash: d2da3d9974d19a9fa66543d4b05a287d04a1de9c23e3755b75d985d210108921
Instruction Fuzzy Hash: 1281E871A34315BBDB24AF60DC42FAE77A8AF55340F044025F909AA1D3EB70D971CAA1

Function 00273E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00273EF8
_wcslen.LIBCMT ref: 00273F03
_wcslen.LIBCMT ref: 00273F5A
_wcslen.LIBCMT ref: 00273F98
GetDriveTypeW.KERNEL32(?), ref: 00273FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00274059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00274087

Strings

open , xrefs: 00273FE5
close, xrefs: 00273EFE, 00273F18
closed, xrefs: 00273F08, 00273F2D, 00273F46, 00273F7E, 00273F97
wait, xrefs: 00274044
close cd wait, xrefs: 00274072
open, xrefs: 00273F54, 00273F59
set cd door , xrefs: 00274028
type cdaudio alias cd wait, xrefs: 00274001

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 705b838ead63ebe1b96a790d8fd7f4e14a4c03b54b202b0aa2239173ceb3a79a
Instruction ID: 854caddfda9719f616e7258d202f6c4c9e28d663de1f10abd598ceb04b8fe062
Opcode Fuzzy Hash: 705b838ead63ebe1b96a790d8fd7f4e14a4c03b54b202b0aa2239173ceb3a79a
Instruction Fuzzy Hash: 687115715243129FC310EF24C88496BB7F4EF94754F108A2DF89A93292EB31DE65CB92

Function 00265A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00265A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00265A40
SetWindowTextW.USER32(?,?), ref: 00265A57
GetDlgItem.USER32(?,000003EA), ref: 00265A6C
SetWindowTextW.USER32(00000000,?), ref: 00265A72
GetDlgItem.USER32(?,000003E9), ref: 00265A82
SetWindowTextW.USER32(00000000,?), ref: 00265A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00265AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00265AC3
GetWindowRect.USER32(?,?), ref: 00265ACC
_wcslen.LIBCMT ref: 00265B33
SetWindowTextW.USER32(?,?), ref: 00265B6F
GetDesktopWindow.USER32 ref: 00265B75
GetWindowRect.USER32(00000000), ref: 00265B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00265BD3
GetClientRect.USER32(?,?), ref: 00265BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00265C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00265C2F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 89de62350120ad461da6772865f7d1f64369955ca6ab217a3c402467a44b0014
Instruction ID: 912813132c3466eefdc5a163b34c9ffb2065129f78f14872fcb1cc00fb342c69
Opcode Fuzzy Hash: 89de62350120ad461da6772865f7d1f64369955ca6ab217a3c402467a44b0014
Instruction Fuzzy Hash: 71719031910B16EFDB20DFA8CE89AAEBBF5FF48704F100519E142A25A4D774E990CF50

Function 0027FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0027FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0027FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0027FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0027FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0027FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0027FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0027FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0027FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0027FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0027FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0027FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0027FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0027FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0027FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0027FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0027FECC
GetCursorInfo.USER32(?), ref: 0027FEDC
GetLastError.KERNEL32 ref: 0027FF1E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: a96c45d190b5e933cdf4b47dc1a8e3c057c747de98be6bc368d3e929ae46a387
Instruction ID: 395333118f852da9de16d4d2b85e82497f84baef06fba45010ea9b6643466ef0
Opcode Fuzzy Hash: a96c45d190b5e933cdf4b47dc1a8e3c057c747de98be6bc368d3e929ae46a387
Instruction Fuzzy Hash: F34174B0D1831A6ADB109FBA8C8985EBFE8FF04354B50852AE11DE7681DB789901CE91

Function 002630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026318D
_wcslen.LIBCMT ref: 002631F8

Strings

REGEXPCLASS, xrefs: 00263255, 00263266
TEXT, xrefs: 0026347C
NAME, xrefs: 00263335, 00263346
INSTANCE, xrefs: 00263453
[,, xrefs: 0026339A
CLASS, xrefs: 00263188, 002631A5
CLASSNN, xrefs: 002631F3, 00263204

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[,
API String ID: 176396367-3538303901
Opcode ID: af865e9831da34e8abb9063e02a7dff5bf74af327a9b0fb133d94e7ce3dcadff
Instruction ID: c160ecd0efd1ce232059a231d6a1719020498131b2f96a284b68189a9a7611d3
Opcode Fuzzy Hash: af865e9831da34e8abb9063e02a7dff5bf74af327a9b0fb133d94e7ce3dcadff
Instruction Fuzzy Hash: 79E1E532A20626ABCB14DFA8C451BEDFBB0BF54710F548259E456E7240DF70AEE58BD0

Function 002200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002200C6

Part of subcall function 002200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002D070C,00000FA0,C435DE36,?,?,?,?,002423B3,000000FF), ref: 0022011C
Part of subcall function 002200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002423B3,000000FF), ref: 00220127
Part of subcall function 002200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002423B3,000000FF), ref: 00220138
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0022014E
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0022015C
Part of subcall function 002200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0022016A
Part of subcall function 002200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00220195
Part of subcall function 002200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002201A0

___scrt_fastfail.LIBCMT ref: 002200E7

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

Strings

InitializeConditionVariable, xrefs: 00220148
WakeAllConditionVariable, xrefs: 00220162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00220122
kernel32.dll, xrefs: 00220133
SleepConditionVariableCS, xrefs: 00220154

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 223a87bd37882a9ed9dc10872db4107550080ea65aa21800fe8813828183797b
Instruction ID: 3baa09bc26e6c9715c4b9970e1388c469dfcdf846567bb44d353c258ff07d27a
Opcode Fuzzy Hash: 223a87bd37882a9ed9dc10872db4107550080ea65aa21800fe8813828183797b
Instruction Fuzzy Hash: 5B212C32A653217BE7505FF4BD8DB5973D4DB05B51F10012BF809D62A2DB645C208AA4

Function 002744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0029CC08), ref: 00274527
_wcslen.LIBCMT ref: 0027453B
_wcslen.LIBCMT ref: 00274599
_wcslen.LIBCMT ref: 002745F4
_wcslen.LIBCMT ref: 0027463F
_wcslen.LIBCMT ref: 002746A7

Part of subcall function 0021F9F2: _wcslen.LIBCMT ref: 0021F9FD

GetDriveTypeW.KERNEL32(?,002C6BF0,00000061), ref: 00274743

Strings

removable, xrefs: 002745EA, 002745EF
unknown, xrefs: 00274708
ramdisk, xrefs: 002746F1
network, xrefs: 0027469D, 002746A2
all, xrefs: 00274531, 00274536
fixed, xrefs: 00274635, 0027463A
cdrom, xrefs: 0027458F, 00274594

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6bbd1830a364af1e417b087f906de528a49d9a02ff670ecdf9e3f2942a126aa1
Instruction ID: 6976679628b3dd34864b1d0138d2062966839014a11e5fe562c48110316d6c2f
Opcode Fuzzy Hash: 6bbd1830a364af1e417b087f906de528a49d9a02ff670ecdf9e3f2942a126aa1
Instruction Fuzzy Hash: 54B104716283039FC714EF28C890A6AF7E5AFA5724F508A1DF49AC7292D770DC64CB52

Function 0029911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

DragQueryPoint.SHELL32(?,?), ref: 00299147

Part of subcall function 00297674: ClientToScreen.USER32(?,?), ref: 0029769A
Part of subcall function 00297674: GetWindowRect.USER32(?,?), ref: 00297710
Part of subcall function 00297674: PtInRect.USER32(?,?,00298B89), ref: 00297720

SendMessageW.USER32(?,000000B0,?,?), ref: 002991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00299225
SendMessageW.USER32(?,000000B0,?,?), ref: 0029923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00299255
SendMessageW.USER32(?,000000B1,?,?), ref: 00299277
DragFinish.SHELL32(?), ref: 0029927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00299371

Strings

p#-, xrefs: 002992BB
@GUI_DROPID, xrefs: 0029929E
@GUI_DRAGFILE, xrefs: 00299320
@GUI_DRAGID, xrefs: 002992E9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#-
API String ID: 221274066-899051560
Opcode ID: 10fd8bba88a8abd26c7b72d194939ec85b6293a93362b0b6e920ac349d4a2fe7
Instruction ID: 8c307bb7ac8bcbd964786140333dac582805b9d6168002425e89c205744e8056
Opcode Fuzzy Hash: 10fd8bba88a8abd26c7b72d194939ec85b6293a93362b0b6e920ac349d4a2fe7
Instruction Fuzzy Hash: 82619C71518301AFD704DF64DC89DAFBBE8EF89350F500A1EF592921A1DB309A68CF62

Function 0020326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002D1990), ref: 00242F8D
GetMenuItemCount.USER32(002D1990), ref: 0024303D
GetCursorPos.USER32(?), ref: 00243081
SetForegroundWindow.USER32(00000000), ref: 0024308A
TrackPopupMenuEx.USER32(002D1990,00000000,?,00000000,00000000,00000000), ref: 0024309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002430A9

Strings

0, xrefs: 0020327D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4c97d787f26c0a049d6685568c54cfb4c830cb04143293f93eaa80a685f5b6ef
Instruction ID: 5980bb2dd8bd166e17346aa4e23f1e683628a6f92aedb4a678db6f9b6c78b170
Opcode Fuzzy Hash: 4c97d787f26c0a049d6685568c54cfb4c830cb04143293f93eaa80a685f5b6ef
Instruction Fuzzy Hash: 09710771660206BEEB25CF65DC49F9ABF68FF01324F600206F914A61E1C7B1AD74CB50

Function 00296CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00296DEB

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00296E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00296E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00296E94
DestroyWindow.USER32(?), ref: 00296EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00200000,00000000), ref: 00296EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00296EFD
GetDesktopWindow.USER32 ref: 00296F16
GetWindowRect.USER32(00000000), ref: 00296F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00296F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00296F4D

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

Strings

0, xrefs: 00296D98
tooltips_class32, xrefs: 00296E58, 00296EDD

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 16eca1a57cb1155254f42bd96130f90294cf8c09a176cd221071541f56612506
Instruction ID: e7359b06937505a700b0a6adf4c8e789ad15350531799e1588e6ee1fd3474b2e
Opcode Fuzzy Hash: 16eca1a57cb1155254f42bd96130f90294cf8c09a176cd221071541f56612506
Instruction Fuzzy Hash: D2717670514341AFDB25CF18EC58FBABBE9FB89304F54041EF98A972A1C770A926CB11

Function 0027C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0027C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0027C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0027C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027C5F0
InternetCloseHandle.WININET(00000000), ref: 0027C5FB

Strings

, xrefs: 0027C575

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2e6397dd1c698c4bebb71b38a6ffe1fc7bdf46c2e48c191da232edea11091ed3
Instruction ID: 25df4dea2ab612fb0642716d1daaf70ceab3596bfe830c8cdc376ee277e53abc
Opcode Fuzzy Hash: 2e6397dd1c698c4bebb71b38a6ffe1fc7bdf46c2e48c191da232edea11091ed3
Instruction Fuzzy Hash: 64516CB1510609BFDB218FB1DD88AAB7BBCFF08754F60841EF949A6210DB31E9549B60

Function 0029856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00298592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985BA
GlobalLock.KERNEL32(00000000), ref: 002985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985D7
GlobalUnlock.KERNEL32(00000000), ref: 002985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0029FC38,?), ref: 00298611
GlobalFree.KERNEL32(00000000), ref: 00298621
GetObjectW.GDI32(?,00000018,?), ref: 00298641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00298671
DeleteObject.GDI32(?), ref: 00298699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002986AF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6b36a7f2c663c164515bcf65e6e1b173a0b534e823ec1839ee52c261b7b68c52
Instruction ID: 4e58f95636561e6c5122b6a532d7587ff8910a54dd0666e81c22fdadbd6ae028
Opcode Fuzzy Hash: 6b36a7f2c663c164515bcf65e6e1b173a0b534e823ec1839ee52c261b7b68c52
Instruction Fuzzy Hash: 6A411975600205AFDB11DFA5DD4CEAA7BBCFF8A711F254059F909EB260DB709901CB60

Function 002714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00271502
VariantCopy.OLEAUT32(?,?), ref: 0027150B
VariantClear.OLEAUT32(?), ref: 00271517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00271657
VariantInit.OLEAUT32(?), ref: 00271708
SysFreeString.OLEAUT32(?), ref: 0027178C
VariantClear.OLEAUT32(?), ref: 002717D8
VariantClear.OLEAUT32(?), ref: 002717E7
VariantInit.OLEAUT32(00000000), ref: 00271823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00271625
Default, xrefs: 002716AF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 7ad19e29a0e5ec25c22e4cc327b90240174ca3cd96ff2496c32317a076ddb962
Instruction ID: 09c7ac6c3a0d56e490b2a5ca25bd0d43cfabe3193680ffb7318f959238e37358
Opcode Fuzzy Hash: 7ad19e29a0e5ec25c22e4cc327b90240174ca3cd96ff2496c32317a076ddb962
Instruction Fuzzy Hash: 7FD11371A20206EBDF189F69E889BB9B7B5BF45700F64C056E40AAB181DB70DC70DB61

Function 0028B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0028B80A
RegCloseKey.ADVAPI32(?), ref: 0028B87E
RegCloseKey.ADVAPI32(?), ref: 0028B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0028B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0028B922
FreeLibrary.KERNEL32(00000000), ref: 0028B983
RegCloseKey.ADVAPI32(00000000), ref: 0028B994

Strings

advapi32.dll, xrefs: 0028B8ED
RegDeleteKeyExW, xrefs: 0028B8FE

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 747dfc3abcee9289218d259a69465889a3acb34933b80d960e17c7fdb53669c5
Instruction ID: 2dc87e0fb4536e1c3e968f998065cf48fec7f75b99d696eae554275b2c964ad6
Opcode Fuzzy Hash: 747dfc3abcee9289218d259a69465889a3acb34933b80d960e17c7fdb53669c5
Instruction Fuzzy Hash: CBC18A35225302AFD711EF14C494F2ABBE5AF84308F24859CE59A8B6E2CB71E855CF91

Function 0028255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002825E8
CreateCompatibleDC.GDI32(?), ref: 002825F4
SelectObject.GDI32(00000000,?), ref: 00282601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0028266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002826D0
SelectObject.GDI32(?,?), ref: 002826D8
DeleteObject.GDI32(?), ref: 002826E1
DeleteDC.GDI32(?), ref: 002826E8
ReleaseDC.USER32(00000000,?), ref: 002826F3

Strings

(, xrefs: 0028268D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 66bcf0f87179029167deef6d2df2a41497ec185f2c31f714c10ef36f622b0d80
Instruction ID: e49b6aa1cf289d6ad71710b5c69f9238c01f666466ab418f776b38e0d6e6959c
Opcode Fuzzy Hash: 66bcf0f87179029167deef6d2df2a41497ec185f2c31f714c10ef36f622b0d80
Instruction Fuzzy Hash: 6F610675D10219EFCF04DFA4D884AAEBBF5FF48310F20852AE959A7250E770A951CF60

Function 0023DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0023DAA1

Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D659
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D66B
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D67D
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D68F
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6A1
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6B3
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6C5
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6D7
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6E9
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D6FB
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D70D
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D71F
Part of subcall function 0023D63C: _free.LIBCMT ref: 0023D731

_free.LIBCMT ref: 0023DA96

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023DAB8
_free.LIBCMT ref: 0023DACD
_free.LIBCMT ref: 0023DAD8
_free.LIBCMT ref: 0023DAFA
_free.LIBCMT ref: 0023DB0D
_free.LIBCMT ref: 0023DB1B
_free.LIBCMT ref: 0023DB26
_free.LIBCMT ref: 0023DB5E
_free.LIBCMT ref: 0023DB65
_free.LIBCMT ref: 0023DB82
_free.LIBCMT ref: 0023DB9A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8749b419baa9afa0c21b940f82fd879044e322747e658473dc27e23030a6feea
Instruction ID: 055490cfbab14a94bf0009e45f620a94370ec595c82ce414ac804786e65ee05c
Opcode Fuzzy Hash: 8749b419baa9afa0c21b940f82fd879044e322747e658473dc27e23030a6feea
Instruction Fuzzy Hash: 90315AB1664206DFEB22AE39F845B5AB7E9FF00310F25545AE458D7191DE31EC648B20

Function 0026365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0026369C
_wcslen.LIBCMT ref: 002636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00263797
GetClassNameW.USER32(?,?,00000400), ref: 0026380C
GetDlgCtrlID.USER32(?), ref: 0026385D
GetWindowRect.USER32(?,?), ref: 00263882
GetParent.USER32(?), ref: 002638A0
ScreenToClient.USER32(00000000), ref: 002638A7
GetClassNameW.USER32(?,?,00000100), ref: 00263921
GetWindowTextW.USER32(?,?,00000400), ref: 0026395D

Strings

%s%u, xrefs: 00263734

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 367b9a853da9ea122e2933490ed5e936554f67e7b35842b86574dffc046e3170
Instruction ID: 2dc8ae45c62d9f4e2366540a111dc616839308e104bed954cadf3f55bba6d078
Opcode Fuzzy Hash: 367b9a853da9ea122e2933490ed5e936554f67e7b35842b86574dffc046e3170
Instruction Fuzzy Hash: 7091B171214607AFD719DF64C885BEAF7A8FF44350F108629F99AC2190DB30EAA5CF91

Function 00264954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00264994
GetWindowTextW.USER32(?,?,00000400), ref: 002649DA
_wcslen.LIBCMT ref: 002649EB
CharUpperBuffW.USER32(?,00000000), ref: 002649F7
_wcsstr.LIBVCRUNTIME ref: 00264A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00264A64
GetWindowTextW.USER32(?,?,00000400), ref: 00264A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00264AE6
GetClassNameW.USER32(?,?,00000400), ref: 00264B20
GetWindowRect.USER32(?,?), ref: 00264B8B

Strings

ThumbnailClass, xrefs: 00264A6F, 00264AF1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: cd12908321d89152734300480c8470640807af8b30aa1cf92de53d703238cb68
Instruction ID: f299d5ad3d9aa67e83d8b3517cf6a1dac8cb94d747900e3b54727eb9c2cac367
Opcode Fuzzy Hash: cd12908321d89152734300480c8470640807af8b30aa1cf92de53d703238cb68
Instruction Fuzzy Hash: DD91D131424206AFDB04EF54D885FAA77E8FF84304F04846AFDC59A196DB30EDA5CBA1

Function 00298D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00298D5A
GetFocus.USER32 ref: 00298D6A
GetDlgCtrlID.USER32(00000000), ref: 00298D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00298E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00298ECF
GetMenuItemCount.USER32(?), ref: 00298EEC
GetMenuItemID.USER32(?,00000000), ref: 00298EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00298F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00298F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00298FA1

Strings

0, xrefs: 00298E9F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 8c26806eb75a502254a727620057695a5e26fcce9ccf4ea93c8343f6cfb15d5b
Instruction ID: c26ba8a78b6fe0146e19808145f848efec0742b003f19d6953d2d016ccb7459f
Opcode Fuzzy Hash: 8c26806eb75a502254a727620057695a5e26fcce9ccf4ea93c8343f6cfb15d5b
Instruction Fuzzy Hash: B181A271528302AFDB10CF24D888AAB77E9FF8A754F18051EF99597291DB70D920CB62

Function 0026DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0026DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0026DC46
_wcslen.LIBCMT ref: 0026DC50
_wcsstr.LIBVCRUNTIME ref: 0026DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0026DCBC

Strings

DefaultLangCodepage, xrefs: 0026DD1F
04090000, xrefs: 0026DCF2
StringFileInfo\, xrefs: 0026DC8F
\VarFileInfo\Translation, xrefs: 0026DCB4
%u.%u.%u.%u, xrefs: 0026DD9A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6f735cd8bd89a266ff3fa6eccd76fbf29735f7d3bfe26e2626bbd1899e8df81a
Instruction ID: a433a5b075c061e6d1d9cdc1fe797fcbe7b35b89b1521e68ccf62f5be7a23e12
Opcode Fuzzy Hash: 6f735cd8bd89a266ff3fa6eccd76fbf29735f7d3bfe26e2626bbd1899e8df81a
Instruction Fuzzy Hash: 1F412B32A642197BDB14BBB4EC47EFF77ACDF56710F100169F900A6182EB7099708BA4

Function 0028CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0028CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028CD48

Part of subcall function 0028CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0028CCAA
Part of subcall function 0028CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0028CCBD
Part of subcall function 0028CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028CCCF
Part of subcall function 0028CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028CD05
Part of subcall function 0028CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0028CCF3

Strings

advapi32.dll, xrefs: 0028CCB8
RegDeleteKeyExW, xrefs: 0028CCC9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f9eec2ec5fdd4194c75ef4b29ce49bedcb5b3339fcce21040cdb7b9d9a01ca38
Instruction ID: fa8ba2d9aa48b9f4445bbc415032f36c40a7ea98b0990c091e700c62c65c37bb
Opcode Fuzzy Hash: f9eec2ec5fdd4194c75ef4b29ce49bedcb5b3339fcce21040cdb7b9d9a01ca38
Instruction Fuzzy Hash: D3317E75912129BBD720AF55EC88EFFBB7CEF05750F200166A905E3280D7709A459BB0

Function 00273D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00273D40
_wcslen.LIBCMT ref: 00273D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00273D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00273DBE
RemoveDirectoryW.KERNEL32(?), ref: 00273DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00273E55
CloseHandle.KERNEL32(00000000), ref: 00273E60
CloseHandle.KERNEL32(00000000), ref: 00273E6B

Strings

\, xrefs: 00273D77
\??\%s, xrefs: 00273D5B
:, xrefs: 00273D82

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c834ef5a1c9566f14ee0417007b6e679194685b78af6e449cc5bfeb8e0cc7a35
Instruction ID: 1f74593aaf6eaf10c8f68c09cd35688ba6b6c9ebe0d091a65da96d94d36e5b6d
Opcode Fuzzy Hash: c834ef5a1c9566f14ee0417007b6e679194685b78af6e449cc5bfeb8e0cc7a35
Instruction Fuzzy Hash: 4831A17192021AABDB20DFA0DC49FEB37BCEF89700F2081B6F909D6060E77097548B24

Function 0026E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0026E6B4

Part of subcall function 0021E551: timeGetTime.WINMM(?,?,0026E6D4), ref: 0021E555

Sleep.KERNEL32(0000000A), ref: 0026E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0026E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0026E727
SetActiveWindow.USER32 ref: 0026E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0026E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0026E773
Sleep.KERNEL32(000000FA), ref: 0026E77E
IsWindow.USER32 ref: 0026E78A
EndDialog.USER32(00000000), ref: 0026E79B

Strings

BUTTON, xrefs: 0026E719

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 54c9c6eb4e9066e08173f3b42ed7bc9770bf3f332327145d4f9d3c85b3bd4319
Instruction ID: 5a942346356a83bdcda16e3681d2405f26705034edb4755ae94f254e8a76172e
Opcode Fuzzy Hash: 54c9c6eb4e9066e08173f3b42ed7bc9770bf3f332327145d4f9d3c85b3bd4319
Instruction Fuzzy Hash: C721C3B4A10301FFEF025F64FC8DA257B6DFB64348F210427F805821A1DB71AC688B64

Function 0026E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0026EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0026EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0026EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0026EAA7

Strings

play PlayMe wait, xrefs: 0026EA91
open , xrefs: 0026EA0C
alias PlayMe, xrefs: 0026EA36
status PlayMe mode, xrefs: 0026EA58
play PlayMe, xrefs: 0026EAA2
close PlayMe, xrefs: 0026EA6E, 0026EA9B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 122cc089a6ecb8bfbe7b4873a8467e2630c5eb5564101b356d59fad0064efd0c
Instruction ID: 23af7a9d2ab9ebe4dcafbdd99319d06df712d03e2a84cda3bdce1b2487a86dc5
Opcode Fuzzy Hash: 122cc089a6ecb8bfbe7b4873a8467e2630c5eb5564101b356d59fad0064efd0c
Instruction Fuzzy Hash: B8117375A7025979DB20E7A5DD4EEFF6A7CEFD2B00F4005297401A20D2EEB04DA5C9B0

Function 00265CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00265CE2
GetWindowRect.USER32(00000000,?), ref: 00265CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00265D59
GetDlgItem.USER32(?,00000002), ref: 00265D69
GetWindowRect.USER32(00000000,?), ref: 00265D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00265DCF
GetDlgItem.USER32(?,000003E9), ref: 00265DDD
GetWindowRect.USER32(00000000,?), ref: 00265DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00265E31
GetDlgItem.USER32(?,000003EA), ref: 00265E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00265E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00265E67

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 68073c4a61a2b52ee5eaf731c86a5c81e56d08487cd57094f32b748b3ea0517c
Instruction ID: 7ead369489b4c58503a63272e82dc0a1b75b69f0a34d64ba8e7df2aacc7854d5
Opcode Fuzzy Hash: 68073c4a61a2b52ee5eaf731c86a5c81e56d08487cd57094f32b748b3ea0517c
Instruction Fuzzy Hash: A0513071B10615AFDF18CF68DD89AAEBBB9FB48310F208129F515E7294D7709E50CB60

Function 00218BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00218F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00218BE8,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218FC5

DestroyWindow.USER32(?), ref: 00218C81
KillTimer.USER32(00000000,?,?,?,?,00218BBA,00000000,?), ref: 00218D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00256973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 002569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000,?), ref: 002569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00218BBA,00000000), ref: 002569D4
DeleteObject.GDI32(00000000), ref: 002569E6

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 04ed6e7637067afffb6246b830e40e92ba1f909d32c51efd5957512b9e483274
Instruction ID: d6eb9db1da939038816d9e428bedeaa346fddf284cd4c2b94fd39a04bdcedbb2
Opcode Fuzzy Hash: 04ed6e7637067afffb6246b830e40e92ba1f909d32c51efd5957512b9e483274
Instruction Fuzzy Hash: 3A61AD30922601EFDB298F14E99CBA5B7F1FB60312F60451AE44297960CB71ACF4CF94

Function 00219838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00219944: GetWindowLongW.USER32(?,000000EB), ref: 00219952

GetSysColor.USER32(0000000F), ref: 00219862

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 121ddbae2e11e528b0377a2215d425d1d80542dfff4e4d67a09bf387e27743b3
Instruction ID: 44ed04bdf05a0cd0fc05541ab5f23553d9cfed6dd13b1b754889b216d3280791
Opcode Fuzzy Hash: 121ddbae2e11e528b0377a2215d425d1d80542dfff4e4d67a09bf387e27743b3
Instruction Fuzzy Hash: BA41E231115604AFDB205F38AC98BF93BA5FB16331F654606F9A6872E1D7319CE2DB10

Function 00238D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.", xrefs: 0023903A, 00238FD0, 00238FF2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: ."
API String ID: 0-2093358890
Opcode ID: 6abc513fb8774535d42bdbb3f32a51959381014d87ec1fa4d8d72b437da0ee20
Instruction ID: cd1fd830ae6981305fd929292d8100f6e6581af475ba2efbe8d375054771e535
Opcode Fuzzy Hash: 6abc513fb8774535d42bdbb3f32a51959381014d87ec1fa4d8d72b437da0ee20
Instruction Fuzzy Hash: FAC1E4B4D2434AEFDB15DFA8D845BADBBB0AF0A310F144199F814AB392C7748991CF60

Function 002696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0024F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00269717
LoadStringW.USER32(00000000,?,0024F7F8,00000001), ref: 00269720

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0024F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00269742
LoadStringW.USER32(00000000,?,0024F7F8,00000001), ref: 00269745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00269866

Strings

^ ERROR, xrefs: 002697FB
Error: , xrefs: 0026981D
%s (%d) : ==> %s: %s %s, xrefs: 0026984A
Line %d (File "%s"):, xrefs: 0026978F
Line %d:, xrefs: 002697A0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 744b5f32cbbf2d55d5707173681e05a2bbfd145d1c9caed888a8603ed3224a8c
Instruction ID: db76490c07261d2d3b7dcf1e3eaa51bc72919821ab71a7dc9a5e920723127a58
Opcode Fuzzy Hash: 744b5f32cbbf2d55d5707173681e05a2bbfd145d1c9caed888a8603ed3224a8c
Instruction Fuzzy Hash: 28412F72820209AACB14EBE0DD86EEE777CAF55340F500165B606720D3EE356FA8CF61

Function 002606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00260804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0026082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00260837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0026083C

Strings

\IPC$, xrefs: 00260784
\CLSID, xrefs: 00260724
SOFTWARE\Classes\, xrefs: 0026070E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ae041debc516c7f70bd9177cfbec16f1b3912b519d0474c0ef2460306a77196f
Instruction ID: 6b9ed930f1853023b56b503a5992d157ed9b65cc3b03e88b3b5aea8769a63d52
Opcode Fuzzy Hash: ae041debc516c7f70bd9177cfbec16f1b3912b519d0474c0ef2460306a77196f
Instruction Fuzzy Hash: 4A41E972D20229ABDF15EFA4DC95DEEB778BF04350F544169E901A31A1EB309E64CFA0

Function 00283C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00283C5C
CoInitialize.OLE32(00000000), ref: 00283C8A
CoUninitialize.OLE32 ref: 00283C94
_wcslen.LIBCMT ref: 00283D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00283DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00283ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00283F0E
CoGetObject.OLE32(?,00000000,0029FB98,?), ref: 00283F2D
SetErrorMode.KERNEL32(00000000), ref: 00283F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00283FC4
VariantClear.OLEAUT32(?), ref: 00283FD8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f57b734fede1fc753982c3518747a7f993b023549a43e0310dd471c06c065a33
Instruction ID: d5f0273135176d32096a9a496bec8d8c8b7586013444a675379c2746c7b64d10
Opcode Fuzzy Hash: f57b734fede1fc753982c3518747a7f993b023549a43e0310dd471c06c065a33
Instruction Fuzzy Hash: 24C157756283019FD700EF68C88492BBBE9FF89B48F10491DF98A9B291D730ED55CB52

Function 00277A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00277AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00277B8F
SHGetDesktopFolder.SHELL32(?), ref: 00277BA3
CoCreateInstance.OLE32(0029FD08,00000000,00000001,002C6E6C,?), ref: 00277BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00277C74
CoTaskMemFree.OLE32(?,?), ref: 00277CCC
SHBrowseForFolderW.SHELL32(?), ref: 00277D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00277D7A
CoTaskMemFree.OLE32(00000000), ref: 00277D81
CoTaskMemFree.OLE32(00000000), ref: 00277DD6
CoUninitialize.OLE32 ref: 00277DDC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7b1faf3b56d6aae0dc98b6b6496760d2530e81eeeb3fe8d012f978ba0b4dbc23
Instruction ID: 080be1f639ffb31f5c6032c17892269504678ceb009b89a86631df1acced2cfc
Opcode Fuzzy Hash: 7b1faf3b56d6aae0dc98b6b6496760d2530e81eeeb3fe8d012f978ba0b4dbc23
Instruction Fuzzy Hash: 61C10C75A14209AFDB14DF64C888DAEBBF9FF48304B148499E81ADB262D730ED55CF90

Function 0029541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00295504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00295515
CharNextW.USER32(00000158), ref: 00295544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00295585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0029559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002955AC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2c2fce9ecc6b721b5253da8f2af76fc6f6c0680f65e67768d0318a43666ceba9
Instruction ID: 34badd4e33f1bed74df64064c2e7693c58d9753000f3ac0c294e7a42c374b35b
Opcode Fuzzy Hash: 2c2fce9ecc6b721b5253da8f2af76fc6f6c0680f65e67768d0318a43666ceba9
Instruction Fuzzy Hash: B761B031A20629EFEF168F50DC849FE7BB9FF09720F104145F925A7291D7749AA0DBA0

Function 0025FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0025FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0025FB08
VariantInit.OLEAUT32(?), ref: 0025FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0025FB3A
VariantCopy.OLEAUT32(?,?), ref: 0025FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0025FBA1
VariantClear.OLEAUT32(?), ref: 0025FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0025FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0025FBCC
VariantClear.OLEAUT32(?), ref: 0025FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0025FBE9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 96b76c3b789e824f6a56a03e0648c92c3519277013da70f96b684e8a48ad6b37
Instruction ID: 591663224a8dd33ee05a5ad5cb6fa0b86cad633ed5fb51993bd6b2f28257cba5
Opcode Fuzzy Hash: 96b76c3b789e824f6a56a03e0648c92c3519277013da70f96b684e8a48ad6b37
Instruction Fuzzy Hash: 96418075A10219DFCF00DF68D9589AEBBB9FF08345F10806AF906A7261DB30A955CFA1

Function 00269C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00269CA1
GetAsyncKeyState.USER32(000000A0), ref: 00269D22
GetKeyState.USER32(000000A0), ref: 00269D3D
GetAsyncKeyState.USER32(000000A1), ref: 00269D57
GetKeyState.USER32(000000A1), ref: 00269D6C
GetAsyncKeyState.USER32(00000011), ref: 00269D84
GetKeyState.USER32(00000011), ref: 00269D96
GetAsyncKeyState.USER32(00000012), ref: 00269DAE
GetKeyState.USER32(00000012), ref: 00269DC0
GetAsyncKeyState.USER32(0000005B), ref: 00269DD8
GetKeyState.USER32(0000005B), ref: 00269DEA

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fbad9eb74a2b38df89bf52a375e0474b1ec6d6e8fb5ca1c127318e63ea2621b6
Instruction ID: 4b9ffc5fd51dccf08d250f1ca2f60d0e8d7c646688f840e6e462f5ccb343dfc4
Opcode Fuzzy Hash: fbad9eb74a2b38df89bf52a375e0474b1ec6d6e8fb5ca1c127318e63ea2621b6
Instruction Fuzzy Hash: 1F41F6305147CB69FF309F64C8043B5BEA8AF16304F44806BCAC6561C2DFB599E8C7A2

Function 0028055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002805BC
inet_addr.WSOCK32(?), ref: 0028061C
gethostbyname.WSOCK32(?), ref: 00280628
IcmpCreateFile.IPHLPAPI ref: 00280636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002807B9
WSACleanup.WSOCK32 ref: 002807BF

Strings

Ping, xrefs: 00280676

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bfb41412f2a7c1dc7232be37aa925837aabc43de9f0d9c9c4ae904f24e357277
Instruction ID: 0cb65a619fcfad3dd13b20b96ecf357bf0bfcd384fb2178931c43c7333a3068c
Opcode Fuzzy Hash: bfb41412f2a7c1dc7232be37aa925837aabc43de9f0d9c9c4ae904f24e357277
Instruction Fuzzy Hash: 2191AF786192029FD360EF15D4C8F1ABBE4AF44318F1485A9F46A8B6E2C770EC59CF91

Function 00288CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00288CF3

Part of subcall function 00268E54: _wcslen.LIBCMT ref: 00268E77

_wcslen.LIBCMT ref: 00288D4E
_wcslen.LIBCMT ref: 00288D9C
_wcslen.LIBCMT ref: 00288DDC
_wcslen.LIBCMT ref: 00288E6E

Strings

stdcall, xrefs: 00288DD6, 00288DDB
cdecl, xrefs: 00288D48, 00288D4D
winapi, xrefs: 00288D96, 00288D9B
none, xrefs: 00288E65, 00288E6A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4c80c6062a96d96ca84536f92c72d0b1dce1c98189418e3bab5b6f2a50bcd9d8
Instruction ID: 1c255510acafcf807fd3b4a9b396523a39171364ef969ee0df0205b828cfe311
Opcode Fuzzy Hash: 4c80c6062a96d96ca84536f92c72d0b1dce1c98189418e3bab5b6f2a50bcd9d8
Instruction Fuzzy Hash: E751B435A211179BCF14EF6CC9409BEB7A5BF64720BA04229F426E72C5DB71ED60CB90

Function 0028372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00283774
CoUninitialize.OLE32 ref: 0028377F
CoCreateInstance.OLE32(?,00000000,00000017,0029FB78,?), ref: 002837D9
IIDFromString.OLE32(?,?), ref: 0028384C
VariantInit.OLEAUT32(?), ref: 002838E4
VariantClear.OLEAUT32(?), ref: 00283936

Strings

Invalid parameter, xrefs: 00283865
NULL Pointer assignment, xrefs: 0028381E
Failed to create object, xrefs: 002837E4, 0028389A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 867ce5410d524af28061e23f56e0bc34b821a994bccf9e601b3308859cc18227
Instruction ID: 1998f77e57c6406b7c6ea0f5e12e4255c95056f447ba3d40a9a587ab1cc0b917
Opcode Fuzzy Hash: 867ce5410d524af28061e23f56e0bc34b821a994bccf9e601b3308859cc18227
Instruction Fuzzy Hash: 9F61A074629301AFD311EF54C888F5ABBE8EF49B14F100919F8859B2D1C770EE68CB92

Function 00298B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

Part of subcall function 0021912D: GetCursorPos.USER32(?), ref: 00219141
Part of subcall function 0021912D: ScreenToClient.USER32(00000000,?), ref: 0021915E
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000001), ref: 00219183
Part of subcall function 0021912D: GetAsyncKeyState.USER32(00000002), ref: 0021919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00298B6B
ImageList_EndDrag.COMCTL32 ref: 00298B71
ReleaseCapture.USER32 ref: 00298B77
SetWindowTextW.USER32(?,00000000), ref: 00298C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00298C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00298CFF

Strings

@GUI_DROPID, xrefs: 00298C51
@GUI_DRAGFILE, xrefs: 00298C9A
p#-, xrefs: 00298C71

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#-
API String ID: 1924731296-962097240
Opcode ID: 75b3d6fcb2c9141e33d1c64fb631ada968acafc2c06ac0268bc4eae306a12097
Instruction ID: a28e087b9761bede69b98adb85a6e2daa05c016e3c5ad5dd88c6f6fef515f0f7
Opcode Fuzzy Hash: 75b3d6fcb2c9141e33d1c64fb631ada968acafc2c06ac0268bc4eae306a12097
Instruction Fuzzy Hash: EA519971515300AFDB04DF14D86AFAA77E4BB89710F50062EF952A72E2CB709D64CB62

Function 00273388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002733CF

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002733F0

Strings

Error: , xrefs: 002734D1
"%s" (%d) : ==> %s:, xrefs: 00273522
Line %d (File "%s"):, xrefs: 00273443, 0027345C
^ ERROR , xrefs: 0027349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00273504
Incorrect parameters to object property !, xrefs: 002734AB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 285256d0439452e78a70e2c6d8a6e26f52527d9fba0e2a453ba1be008f01bbee
Instruction ID: 29c4df02931a2f3175015840b74966944b2e0b4997aded10e88f0f9d24ef7d73
Opcode Fuzzy Hash: 285256d0439452e78a70e2c6d8a6e26f52527d9fba0e2a453ba1be008f01bbee
Instruction Fuzzy Hash: D5516F71D20209AADF15EBA0DD46EEEB778AF18340F504165F50572192EB316FB8DF60

Function 0026B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0026B5FC
_wcslen.LIBCMT ref: 0026B608
_wcslen.LIBCMT ref: 0026B64D
_wcslen.LIBCMT ref: 0026B68C
_wcslen.LIBCMT ref: 0026B6C7

Strings

REMOVE, xrefs: 0026B602, 0026B607
EXISTS, xrefs: 0026B686, 0026B68B
APPEND, xrefs: 0026B6C1, 0026B6C6
KEYS, xrefs: 0026B647, 0026B64C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d91c77a2ed3ebe5caba8d1c942a3d98e8c28d19e46a79e2b28f96236d04bc51f
Instruction ID: 8b059530a2d3700057dc1254374c991316acb6ce59d4045d5bbf8f4ce471f437
Opcode Fuzzy Hash: d91c77a2ed3ebe5caba8d1c942a3d98e8c28d19e46a79e2b28f96236d04bc51f
Instruction Fuzzy Hash: B641E633A201279BCB216F7DC9905BEB7A9EFA0754B244229E421DB284F731CDE1C790

Function 00275393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00275416
GetLastError.KERNEL32 ref: 00275420
SetErrorMode.KERNEL32(00000000,READY), ref: 002754A7

Strings

NOTREADY, xrefs: 0027544B
READONLY, xrefs: 00275452
INVALID, xrefs: 00275459
UNKNOWN, xrefs: 00275444
READY, xrefs: 00275460, 00275468

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4a5f2857751da8cf281517561f7d5be47c15edb217f32f135657e6c7bfc23dbf
Instruction ID: e204eb1b7999a388c2b9dd8a4f4ddc1d572a317da6d087d6abcae100374ee1c5
Opcode Fuzzy Hash: 4a5f2857751da8cf281517561f7d5be47c15edb217f32f135657e6c7bfc23dbf
Instruction Fuzzy Hash: 9331B335A206159FD710DF68C498FAABBB4EF45305F14C05AE40ACB292DBB1DD92CBA0

Function 00293C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00293C79
SetMenu.USER32(?,00000000), ref: 00293C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00293D10
IsMenu.USER32(?), ref: 00293D24
CreatePopupMenu.USER32 ref: 00293D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00293D5B
DrawMenuBar.USER32 ref: 00293D63

Strings

0, xrefs: 00293C54
F, xrefs: 00293D4E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1ff70632c699b6f5b34b349b3732d137c31e902f4bfb60eefdb9550b007ef1d6
Instruction ID: 478db9e154555affbe2ebeb61d79aeeb1c706f2bb0e30ae66ff52ede07f87810
Opcode Fuzzy Hash: 1ff70632c699b6f5b34b349b3732d137c31e902f4bfb60eefdb9550b007ef1d6
Instruction Fuzzy Hash: D0415EB5A1120AEFDF14CFA4E858AEA77B5FF49350F140029F946A7360D770AA20CF64

Function 00293A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00293A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00293AA0
GetWindowLongW.USER32(?,000000F0), ref: 00293AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00293AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00293B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00293BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00293BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00293BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00293BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00293C13

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 7333431280abf6895c433e0981a8ba487344cf1fb37428861175dc73a4344b27
Instruction ID: c2e5ae1743374004f1660a10d84d2f66b043707e5389e9d8fbf3febceb7ed651
Opcode Fuzzy Hash: 7333431280abf6895c433e0981a8ba487344cf1fb37428861175dc73a4344b27
Instruction Fuzzy Hash: 91618A75910208AFDB10DFA8CC95EEE77B8EB09704F10409AFA15E72A2C770AE65DF50

Function 0026B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0026B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B165
GetWindowThreadProcessId.USER32(00000000), ref: 0026B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0026B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0026A1E1,?,00000001), ref: 0026B21D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 886d65431e57ac8dc6773691d981c61d2a77543b1d3af5773c745bd1d4f821c6
Instruction ID: bab7ea95d77f94cfee73cab6694aaa9adbebcfe7a60ebcb069c6aa881c56e401
Opcode Fuzzy Hash: 886d65431e57ac8dc6773691d981c61d2a77543b1d3af5773c745bd1d4f821c6
Instruction Fuzzy Hash: 8031AD75920205BFDB12DF64EC5CBAE7BADBB51312F208026FA05D6190D7B49ED08F61

Function 00232C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00232C94

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 00232CA0
_free.LIBCMT ref: 00232CAB
_free.LIBCMT ref: 00232CB6
_free.LIBCMT ref: 00232CC1
_free.LIBCMT ref: 00232CCC
_free.LIBCMT ref: 00232CD7
_free.LIBCMT ref: 00232CE2
_free.LIBCMT ref: 00232CED
_free.LIBCMT ref: 00232CFB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8ccd0ed4a9f06add234823515cf65c1da38ab55948c148dc9711978d13f2893c
Instruction ID: 1e451bd44fb7aa55ada498cab69c517e7b40f9beab49d842aff8d4cf0cb82b46
Opcode Fuzzy Hash: 8ccd0ed4a9f06add234823515cf65c1da38ab55948c148dc9711978d13f2893c
Instruction Fuzzy Hash: 9111A7B6120118EFCB02EF54E842EDD7BA5FF05350F5154A5F9485F222DA31EE649F90

Function 00277DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00277FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00277FC1
GetFileAttributesW.KERNEL32(?), ref: 00277FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00278005
SetCurrentDirectoryW.KERNEL32(?), ref: 00278017
SetCurrentDirectoryW.KERNEL32(?), ref: 00278060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002780B0

Strings

*.*, xrefs: 00278066

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 84f1cda96df13818ba1feb423d7d04041c1fef677b557386f41e5578de3ac167
Instruction ID: cf494c1fa84e80e152cfbc1851ee73736525cdd0351f43795fd6faa23126dd48
Opcode Fuzzy Hash: 84f1cda96df13818ba1feb423d7d04041c1fef677b557386f41e5578de3ac167
Instruction Fuzzy Hash: 4A81C5715283029BDB20DF14C8449AEB3E8BF89314F548C6EF889D7251DB74DD65CB52

Function 00205BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00205C7A

Part of subcall function 00205D0A: GetClientRect.USER32(?,?), ref: 00205D30
Part of subcall function 00205D0A: GetWindowRect.USER32(?,?), ref: 00205D71
Part of subcall function 00205D0A: ScreenToClient.USER32(?,?), ref: 00205D99

GetDC.USER32 ref: 002446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00244708
SelectObject.GDI32(00000000,00000000), ref: 00244716
SelectObject.GDI32(00000000,00000000), ref: 0024472B
ReleaseDC.USER32(?,00000000), ref: 00244733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002447C4

Strings

U, xrefs: 00244693

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7f9bc4322ad85c6f7cd7799226e8e94d41d1df53b76bc7c7d02c5b4ca0f52326
Instruction ID: 4194e1196402455f125b79d1d0ea31954de88c57752f929059e7351d50bcbd2c
Opcode Fuzzy Hash: 7f9bc4322ad85c6f7cd7799226e8e94d41d1df53b76bc7c7d02c5b4ca0f52326
Instruction Fuzzy Hash: F1710430420206DFDF29AF64C984BBA7BB5FF4A320F24426AED555A1A6C7309C62DF50

Function 0027359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002735E4

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

LoadStringW.USER32(002D2390,?,00000FFF,?), ref: 0027360A

Strings

^ ERROR, xrefs: 002736C9
Error: , xrefs: 002736EF
"%s" (%d) : ==> %s:, xrefs: 00273742
Line %d (File "%s"):, xrefs: 0027366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00273724

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 25937bd08b3483543fed06f199d94c84809e8ee1ff47e6fca74785d57b3cff52
Instruction ID: 340d4d4c4d64299019939b4f6bd81c24addae6f883a9ea0aa6452700edef8638
Opcode Fuzzy Hash: 25937bd08b3483543fed06f199d94c84809e8ee1ff47e6fca74785d57b3cff52
Instruction Fuzzy Hash: 9C516E71D2020ABADF14EBA0DC46EEEBB78AF04300F144165F105721A2EB315AF9DFA0

Function 0027C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027C2CA
GetLastError.KERNEL32 ref: 0027C322
SetEvent.KERNEL32(?), ref: 0027C336
InternetCloseHandle.WININET(00000000), ref: 0027C341

Strings

, xrefs: 0027C2BB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 09c4631b8312456807400e477f982b628fa82ae2af6f5aa51775b57948aa15f0
Instruction ID: 8511ed11a2c78bc7f7e4b701934e94af947f290a3ac6c08ff5eccc159ce3cdb6
Opcode Fuzzy Hash: 09c4631b8312456807400e477f982b628fa82ae2af6f5aa51775b57948aa15f0
Instruction Fuzzy Hash: B3317AB1620608AFD7219FB49C88AAB7BFCEB49744B20C51EF84A92201DB34DD149B61

Function 0026989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00243AAF,?,?,Bad directive syntax error,0029CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002698BC
LoadStringW.USER32(00000000,?,00243AAF,?), ref: 002698C3

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00269987

Strings

Line %d (File "%s"):, xrefs: 0026992D
%s (%d) : ==> %s.: %s %s, xrefs: 002698F1
Error: , xrefs: 00269955
Line %d:, xrefs: 00269912
., xrefs: 0026996D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 749958d662eec63e95b198e34a9a520728f9c6ff1e76a4762f57a6e30f299d8f
Instruction ID: 054339f9f17b3ae2b931850cf0717b28d8b3fc0348c92088253e5c7276cf4503
Opcode Fuzzy Hash: 749958d662eec63e95b198e34a9a520728f9c6ff1e76a4762f57a6e30f299d8f
Instruction Fuzzy Hash: EE216D3182021AABCF25EF90CC4AEEE7779BF18704F04445AF515620A2EA7196B8DF50

Function 0026209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0026214D

Strings

list, xrefs: 0026212F
details, xrefs: 002620FB
SHELLDLL_DefView, xrefs: 002620CC
smallicons, xrefs: 00262115
largeicons, xrefs: 002620E1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ac7ebb06afc64fc932cb1a55bdefb7218ed53883b9fc1ec24f4d59af4fcc2805
Instruction ID: 3516b20bb19b858d56c7b596be31790fad81d0b5d8cd06b78c664a56065d4afd
Opcode Fuzzy Hash: ac7ebb06afc64fc932cb1a55bdefb7218ed53883b9fc1ec24f4d59af4fcc2805
Instruction Fuzzy Hash: 28113D761BCB17F5F6056620EC0AEA6379CCB16314B30015AFB08A40D2EEA1ACF55914

Function 0023CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0023CEB7
_free.LIBCMT ref: 0023CF22
_free.LIBCMT ref: 0023CF48
_free.LIBCMT ref: 0023CF71
_free.LIBCMT ref: 0023CFA9
_free.LIBCMT ref: 0023CFDA
_free.LIBCMT ref: 0023D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0023D09C
_free.LIBCMT ref: 0023D0B5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 69b70ab7bd0c46039758ef044109abbc42c40f2500c0ee81f56a45208c749ed9
Instruction ID: f99b1b6b2554c905084ea2ae6035166cfd0e06a448d1aefb916ab53cd1ad115c
Opcode Fuzzy Hash: 69b70ab7bd0c46039758ef044109abbc42c40f2500c0ee81f56a45208c749ed9
Instruction Fuzzy Hash: 5A6178F1924312EFDB25AFB4A885B697BA5EF05710F24416FF800B7281D6329D21CB90

Function 00218B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00256890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00218874,00000000,00000000,00000000,000000FF,00000000), ref: 00256901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0025691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00218874,00000000,00000000,00000000,000000FF,00000000), ref: 0025692D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 70d981a8f4ca0880564bf028cd59721386994c55fbdd1ca831d83e9481192ee7
Instruction ID: f39946b9b976e9c05e3f865951aabd0674d84feac7c48998ae5c9052a90e49c2
Opcode Fuzzy Hash: 70d981a8f4ca0880564bf028cd59721386994c55fbdd1ca831d83e9481192ee7
Instruction Fuzzy Hash: AD518C70A20206AFDB20CF24DC99BAA77F5EF64354F104519F906D72A0DB70EEA4DB50

Function 0027C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027C182
GetLastError.KERNEL32 ref: 0027C195
SetEvent.KERNEL32(?), ref: 0027C1A9

Part of subcall function 0027C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027C272
Part of subcall function 0027C253: GetLastError.KERNEL32 ref: 0027C322
Part of subcall function 0027C253: SetEvent.KERNEL32(?), ref: 0027C336
Part of subcall function 0027C253: InternetCloseHandle.WININET(00000000), ref: 0027C341

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cedd59a60037792d68f66452d212f83af573bdcddc38143ce8c913f11d215196
Instruction ID: cab528fee6bd2e54987ca317091b5d75b896cfa01936946ba9ea9bc170a41ddc
Opcode Fuzzy Hash: cedd59a60037792d68f66452d212f83af573bdcddc38143ce8c913f11d215196
Instruction Fuzzy Hash: 0C318F71610601AFDB219FB5EC48A67BBF8FF58300B60842EF95E82611D730E9249F60

Function 002625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00262601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00262605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0026260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00262623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00262627

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c25aeff79cd81b0caffcebf731bd101220db5349c798646d6b4b606b208e339e
Instruction ID: abe096c3d5676a025bb2dfccd11241b436393c182962d6074f92e10c5495aefb
Opcode Fuzzy Hash: c25aeff79cd81b0caffcebf731bd101220db5349c798646d6b4b606b208e339e
Instruction Fuzzy Hash: 2001B530690610BBFB106769DC8EF593E59DF4AB51F200012F318AE0D1C9E11454DA69

Function 00261803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00261449,?,?,00000000), ref: 0026180C
HeapAlloc.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 00261813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261449,?,?,00000000), ref: 00261828
GetCurrentProcess.KERNEL32(?,00000000,?,00261449,?,?,00000000), ref: 00261830
DuplicateHandle.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 00261833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261449,?,?,00000000), ref: 00261843
GetCurrentProcess.KERNEL32(00261449,00000000,?,00261449,?,?,00000000), ref: 0026184B
DuplicateHandle.KERNEL32(00000000,?,00261449,?,?,00000000), ref: 0026184E
CreateThread.KERNEL32(00000000,00000000,00261874,00000000,00000000,00000000), ref: 00261868

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8b3d7f7523ad2fa593f3cf907a9b633de630007244ba9f06421004631769fb7b
Instruction ID: 95165ff2e12377315a7bd2ce340db0abf2bdcc5c793bf6214184fb7db20d1a56
Opcode Fuzzy Hash: 8b3d7f7523ad2fa593f3cf907a9b633de630007244ba9f06421004631769fb7b
Instruction Fuzzy Hash: 1001BF75240304BFE710AB65ED4DF5B3B6CEB89B11F504411FA05DB1A1C6709810CB34

Function 0028A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0026D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0026D501
Part of subcall function 0026D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0026D50F
Part of subcall function 0026D4DC: CloseHandle.KERNELBASE(00000000), ref: 0026D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028A16D
GetLastError.KERNEL32 ref: 0028A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0028A268
GetLastError.KERNEL32(00000000), ref: 0028A273
CloseHandle.KERNEL32(00000000), ref: 0028A2C4

Strings

SeDebugPrivilege, xrefs: 0028A18F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 54bd882dc95e932a62bf6d03e54c378f75b0c5af50eb64764f8d07aaa919f3ba
Instruction ID: 63a08e5707a6ce1488827adb728d6c7bfae3326312ae410798bf4b7d45c4d787
Opcode Fuzzy Hash: 54bd882dc95e932a62bf6d03e54c378f75b0c5af50eb64764f8d07aaa919f3ba
Instruction Fuzzy Hash: 2861A3742152429FE720EF18C498F15BBE1AF44318F14849DE45A4B7E3CB76EC55CB92

Function 00293886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00293925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0029393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00293954
_wcslen.LIBCMT ref: 00293999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002939F4

Strings

SysListView32, xrefs: 002938F7

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: cc669bf940d7ee94b14753056a4e4a5ee426e6c467528f0e9708fb88b2ec950c
Instruction ID: aa8ffd2f809e7ca2a8673a7212e12a4d757a7553384f6c48c8370e87466290ae
Opcode Fuzzy Hash: cc669bf940d7ee94b14753056a4e4a5ee426e6c467528f0e9708fb88b2ec950c
Instruction Fuzzy Hash: F4418671A10219ABEF21DF64CC49FEA77A9FF48350F10052AF958E7281D7719DA4CB90

Function 0026BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0026BCFD
IsMenu.USER32(00000000), ref: 0026BD1D
CreatePopupMenu.USER32 ref: 0026BD53
GetMenuItemCount.USER32(01425BA8), ref: 0026BDA4
InsertMenuItemW.USER32(01425BA8,?,00000001,00000030), ref: 0026BDCC

Strings

0, xrefs: 0026BCA8
2, xrefs: 0026BD37

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2a7c2b2283fe95f2e150f7d086fd803451643a84c34c963d83b563868be5e12f
Instruction ID: cd8656b3c311226e36f9298f0c46ecd48a0dc4a97650beef4c7919db0798a343
Opcode Fuzzy Hash: 2a7c2b2283fe95f2e150f7d086fd803451643a84c34c963d83b563868be5e12f
Instruction Fuzzy Hash: 0451B270A20206DBDF12DFA8D8C8BAEBBF8BF45314F24415AE441EB291D77099E1CB51

Function 00222D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00222D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00222D53
_ValidateLocalCookies.LIBCMT ref: 00222DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00222E0C
_ValidateLocalCookies.LIBCMT ref: 00222E61

Strings

csm, xrefs: 00222DF6
&H", xrefs: 00222DFE, 00222E07, 00222E18

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H"$csm
API String ID: 1170836740-3377455284
Opcode ID: 8f37e769d6cf6c3f4cba72849423acdcfafc803c848c3b3c27650dd0ea3140b9
Instruction ID: 6461f5830f3acf12e13545faef51e69044e4f4e3fb583f77d27c958bf3ac7127
Opcode Fuzzy Hash: 8f37e769d6cf6c3f4cba72849423acdcfafc803c848c3b3c27650dd0ea3140b9
Instruction Fuzzy Hash: 6B41D634A20229FBCF10DFA8E844A9EBBA4BF45324F148155E8145B352D736AA29CF91

Function 0026C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0026C913

Strings

stop, xrefs: 0026C8E4
warning, xrefs: 0026C8FC
question, xrefs: 0026C8CC
blank, xrefs: 0026C895
info, xrefs: 0026C8B4

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9f323c43d92b0351aefde7d34df590abc9a920277b0e849c5a3743ee23a4ce40
Instruction ID: acdad67ae5d5de3cb70d96512d953514d0d50df0026f45de71da1bbef66e9974
Opcode Fuzzy Hash: 9f323c43d92b0351aefde7d34df590abc9a920277b0e849c5a3743ee23a4ce40
Instruction Fuzzy Hash: 59112B316BA307BAA705BB54EC86DBA679CDF16354B30002FF944A7282D7F05DA05664

Function 0026DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0026DE42
gethostname.WSOCK32(?,00000100), ref: 0026DE5C
gethostbyname.WSOCK32(?), ref: 0026DE69
inet_ntoa.WSOCK32(?), ref: 0026DEAB
_strcat.LIBCMT ref: 0026DEB9
WSACleanup.WSOCK32 ref: 0026DEDE

Strings

0.0.0.0, xrefs: 0026DE87

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 20294a93eefcac3ef193072f47bb1348a51416a2f0406020e90223791e6f9092
Instruction ID: de266505030571122750fcbe83d8407d6a885b4843e95673b2e210135edf9dfd
Opcode Fuzzy Hash: 20294a93eefcac3ef193072f47bb1348a51416a2f0406020e90223791e6f9092
Instruction Fuzzy Hash: D411DA71A24119BFCB24BBB0AC4AEDE77ACDF11711F11016AF54596091EFB18AE18E90

Function 0026ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0026ED2A
_wcslen.LIBCMT ref: 0026ED3B
_wcslen.LIBCMT ref: 0026ED79
_wcslen.LIBCMT ref: 0026EDAF
_wcslen.LIBCMT ref: 0026EDDF
_wcslen.LIBCMT ref: 0026EDEF
_wcslen.LIBCMT ref: 0026EE2B
_wcslen.LIBCMT ref: 0026EE5A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e3580494bdcba734a6ca4a871af36f62dd9bc19bbb202ba90e5d722a3fe47704
Instruction ID: 5d73230382ec574176e0f869b59e7f68c371a15fb59a13f1d36aeba6741149f2
Opcode Fuzzy Hash: e3580494bdcba734a6ca4a871af36f62dd9bc19bbb202ba90e5d722a3fe47704
Instruction Fuzzy Hash: 40417566C20128B5CB11FBF4988AACF77ACAF45710F514562F914E3122FB34E2A5C7E5

Function 0021F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0021F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0025F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0025F454

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e088928c4ffd86515b32ceac4c105f44ab4d19681825441df2664794cec17c48
Instruction ID: 651cfdc978ba3509d7111bb548fd455d33f9e9eb806fb4a7d1d4ff411c54ce1c
Opcode Fuzzy Hash: e088928c4ffd86515b32ceac4c105f44ab4d19681825441df2664794cec17c48
Instruction Fuzzy Hash: 7C417B306382C1BAD7B4AF28DB8C7EA7BD1AB66320F58443DE46752560C671A8E1CB50

Function 00292D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00292D1B
GetDC.USER32(00000000), ref: 00292D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00292D2E
ReleaseDC.USER32(00000000,00000000), ref: 00292D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00292D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00292D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00295A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00292DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00292DE1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 309304c2a5f8a8c734937adb27be1e8fd5bd633e3ab327038b23c470fdf7a724
Instruction ID: 86693869f5a15bc50b309851238edd1230b380be1809f6d14cc7f7562a78d97a
Opcode Fuzzy Hash: 309304c2a5f8a8c734937adb27be1e8fd5bd633e3ab327038b23c470fdf7a724
Instruction Fuzzy Hash: D3316772211214BBEF258F50DC8AFEB3BADEF49715F144066FE089A291C6759C50CBB4

Function 00265622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00265637
_memcmp.LIBVCRUNTIME ref: 00265659
_memcmp.LIBVCRUNTIME ref: 00265671
_memcmp.LIBVCRUNTIME ref: 00265684
_memcmp.LIBVCRUNTIME ref: 0026569E
_memcmp.LIBVCRUNTIME ref: 002656B1
_memcmp.LIBVCRUNTIME ref: 002656C9
_memcmp.LIBVCRUNTIME ref: 002656E4

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f12ec4c756314b31198a939e3b1e112b9c43dda5ff755ed087892c27bce36f48
Instruction ID: a76b5554d6860fe30e97bf5f8e6dcd6ea138874c35c5ee983acd8d7df74d4d4e
Opcode Fuzzy Hash: f12ec4c756314b31198a939e3b1e112b9c43dda5ff755ed087892c27bce36f48
Instruction Fuzzy Hash: AB212661670A3A7BD668DA20EE82FFA334DAF31394F444021FD04AA685F760ED70C5A5

Function 00284FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0028502E, 00285383
Not an Object type, xrefs: 00285007

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bd804879ec5a826b006211e43c2df1e307cef77a76a6835c326c7c0069a2e99f
Instruction ID: 915e19ef58ad51eb871dc8cb191ac73a87e7fb37807e0df261c8993c59b66ece
Opcode Fuzzy Hash: bd804879ec5a826b006211e43c2df1e307cef77a76a6835c326c7c0069a2e99f
Instruction Fuzzy Hash: 0BD1E279A1161AAFDF10EFA8C884BAEB7B5FF48344F148069E915AB2C0E770DD51CB50

Function 00241522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00241651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002417FB,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002416FB

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00241777
__freea.LIBCMT ref: 002417A2
__freea.LIBCMT ref: 002417AE

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c6511dad6a8d6c71e87463dd4290172509f1204eb4ee04de4ebbc4a20224df54
Instruction ID: b9f922caafce395c090eb7c264840ba5de1beb4007d276aafb48984d656b56ec
Opcode Fuzzy Hash: c6511dad6a8d6c71e87463dd4290172509f1204eb4ee04de4ebbc4a20224df54
Instruction Fuzzy Hash: 5F91D471E302169ADF288F74CC81AEEBBB9AF49750F584659E805E7181D735CDB0CB60

Function 00284523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00284648
VariantInit.OLEAUT32(?), ref: 00284749
VariantClear.OLEAUT32(?), ref: 00284753
VariantClear.OLEAUT32(?), ref: 002847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002845D8, 00284706, 002847BE
Incorrect Object type in FOR..IN loop, xrefs: 0028472C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 832670eb7a4b786152016740b58a5f950c3a1eb3c72f86291b32c60f22a0a650
Instruction ID: 3bf92312edea8db2baac7b382aba1b7c8384202e5fab1a18095b0114ede9c480
Opcode Fuzzy Hash: 832670eb7a4b786152016740b58a5f950c3a1eb3c72f86291b32c60f22a0a650
Instruction Fuzzy Hash: 7891A174A21216AFDF20EFA4C844FAEBBB8EF46714F108559F505AB280D7709951CFA0

Function 00271187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0027125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00271284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0027135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00271430

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 10799aa140f62f6524dac8b33262b491d944b011e54b072f9b555b77cb73b03a
Instruction ID: 126072bb23f09667f871955bcca36162377ee997781f6e440e82903a2a20dc0b
Opcode Fuzzy Hash: 10799aa140f62f6524dac8b33262b491d944b011e54b072f9b555b77cb73b03a
Instruction Fuzzy Hash: 6B911771A20219AFEB00DF98D895BBE77B5FF45314F108029E908EB292D774A971CF50

Function 0021948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a485ccfd925479ed631c4c5689a452f74cb53985abeef0d5b8e2526f4d975f20
Instruction ID: afcdd22d45c8a3b2fa1c75af37d4ead3ff3c3be7c07391fc43982cb4796a502a
Opcode Fuzzy Hash: a485ccfd925479ed631c4c5689a452f74cb53985abeef0d5b8e2526f4d975f20
Instruction Fuzzy Hash: DA912671D5021AEFCB10CFA9CC88AEEBBB9FF49320F148055E915B7251D374AA91CB60

Function 00283947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0028396B
CharUpperBuffW.USER32(?,?), ref: 00283A7A
_wcslen.LIBCMT ref: 00283A8A
VariantClear.OLEAUT32(?), ref: 00283C1F

Part of subcall function 00270CDF: VariantInit.OLEAUT32(00000000), ref: 00270D1F
Part of subcall function 00270CDF: VariantCopy.OLEAUT32(?,?), ref: 00270D28
Part of subcall function 00270CDF: VariantClear.OLEAUT32(?), ref: 00270D34

Strings

Incorrect Parameter format, xrefs: 002839A6, 00283BA1
AUTOIT.ERROR, xrefs: 00283A80, 00283A85

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 49237ed6d9e39213bdbc94684ff7287a2e1e8f9d140339528ecd2eb9f52f8e3e
Instruction ID: ee559c15eccad877249ec435f9e8ce7afdbaeb7fdb19ccd173419c17b6afd191
Opcode Fuzzy Hash: 49237ed6d9e39213bdbc94684ff7287a2e1e8f9d140339528ecd2eb9f52f8e3e
Instruction Fuzzy Hash: 7B9149756283019FC704EF24C48096AB7E4BF89714F14892EF88A97392DB31EE55CF92

Function 00284BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0026000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?,?,0026035E), ref: 0026002B
Part of subcall function 0026000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260046
Part of subcall function 0026000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260054
Part of subcall function 0026000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?), ref: 00260064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00284C51
_wcslen.LIBCMT ref: 00284D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00284DCF
CoTaskMemFree.OLE32(?), ref: 00284DDA

Strings

NULL Pointer assignment, xrefs: 00284E23, 00284E52

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a9faae874e68b641d70777975292fc2277f8e01a5e29df06b2ac62d76a6061d3
Instruction ID: 00ff83c1e7553728162c2f75b498411606df534c0a5138a8c11ab040ab362ff0
Opcode Fuzzy Hash: a9faae874e68b641d70777975292fc2277f8e01a5e29df06b2ac62d76a6061d3
Instruction Fuzzy Hash: D8913B71D1121EEFDF14EFA4D891AEEB7B8BF08304F10816AE915A7291DB705A64CF60

Function 002920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00292183
GetMenuItemCount.USER32(00000000), ref: 002921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002921DD
_wcslen.LIBCMT ref: 00292213
GetMenuItemID.USER32(?,?), ref: 0029224D
GetSubMenu.USER32(?,?), ref: 0029225B

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002922E3

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: f70082bb77bd1f870649851cebd4b5f9beb7381570d61e6ce9f58c39a2e4e452
Instruction ID: eacbe45099eb37a0878b525d2ee0320ac4c5dab45d3e6076682ded945f315ee1
Opcode Fuzzy Hash: f70082bb77bd1f870649851cebd4b5f9beb7381570d61e6ce9f58c39a2e4e452
Instruction Fuzzy Hash: 9D716C75E20205EFCF14EFA4C845AAEB7F5AF48310F1484A9E816EB352DB34AD558F90

Function 0026AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0026AEF9
GetKeyboardState.USER32(?), ref: 0026AF0E
SetKeyboardState.USER32(?), ref: 0026AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0026AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0026AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0026AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0026B020

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc7916c1d1e2e81171c14adbdf6776a72c592e166d39fe9389cb52960aa7cdda
Instruction ID: 03e1394504649676075fda1ec98571eaeefe3e47ff57b4526d6d2372a1d24b97
Opcode Fuzzy Hash: bc7916c1d1e2e81171c14adbdf6776a72c592e166d39fe9389cb52960aa7cdda
Instruction Fuzzy Hash: 1451D6A0A247D63DFB3746348C45BBA7EE95B06304F088489F1D9958C3C3E9ACE4DB52

Function 0026ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0026AD19
GetKeyboardState.USER32(?), ref: 0026AD2E
SetKeyboardState.USER32(?), ref: 0026AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0026ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0026ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0026AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0026AE38

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b45834b49a133c99352d1bc100898ac193c68cbe09298bcf29905353c59e52ef
Instruction ID: d8577cf24d1e68b6f0e7327228a31125d737790f9fc562504d610e84e665733a
Opcode Fuzzy Hash: b45834b49a133c99352d1bc100898ac193c68cbe09298bcf29905353c59e52ef
Instruction Fuzzy Hash: 085107A1A247D23DFB378B348C95B7A7EE85B46300F088499E1D5668C3C295ECE4DB52

Function 0023542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00243CD6,?,?,?,?,?,?,?,?,00235BA3,?,?,00243CD6,?,?), ref: 00235470
__fassign.LIBCMT ref: 002354EB
__fassign.LIBCMT ref: 00235506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00243CD6,00000005,00000000,00000000), ref: 0023552C
WriteFile.KERNEL32(?,00243CD6,00000000,00235BA3,00000000,?,?,?,?,?,?,?,?,?,00235BA3,?), ref: 0023554B
WriteFile.KERNEL32(?,?,00000001,00235BA3,00000000,?,?,?,?,?,?,?,?,?,00235BA3,?), ref: 00235584

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 236ede0a8de2565c96b13a0bbd10b21bcb1e4b5c7ab7cf42b3fdf285ee34b73d
Instruction ID: 8b3ea8c3cd2a28ec3a4fedbcbb967552aea303fb18b377d494be74500cf6eeef
Opcode Fuzzy Hash: 236ede0a8de2565c96b13a0bbd10b21bcb1e4b5c7ab7cf42b3fdf285ee34b73d
Instruction Fuzzy Hash: 5B51E6B09106199FDB10CFA8D885BEEBBF9EF08300F14451AF559E7291D730AA51CB60

Function 002810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
Part of subcall function 0028304E: _wcslen.LIBCMT ref: 0028309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00281112
WSAGetLastError.WSOCK32 ref: 00281121
WSAGetLastError.WSOCK32 ref: 002811C9
closesocket.WSOCK32(00000000), ref: 002811F9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 95e140219bc9c77dc83af5aa70d17c130118dc3730f0a596d1b08b56d81df2f3
Instruction ID: 509c32dfa16d8a5d953ec580a001cb70d4c9f64307607324c60c5712eed601aa
Opcode Fuzzy Hash: 95e140219bc9c77dc83af5aa70d17c130118dc3730f0a596d1b08b56d81df2f3
Instruction Fuzzy Hash: 95411475610205AFDB10AF54D888BA9BBEDFF44364F248059FD099B2D2C770AD62CFA1

Function 0026CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026CF22,?), ref: 0026DDFD

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026CF22,?), ref: 0026DE16

lstrcmpiW.KERNEL32(?,?), ref: 0026CF45
MoveFileW.KERNEL32(?,?), ref: 0026CF7F
_wcslen.LIBCMT ref: 0026D005
_wcslen.LIBCMT ref: 0026D01B
SHFileOperationW.SHELL32(?), ref: 0026D061

Strings

\*.*, xrefs: 0026CFF3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7dffea95af215f97728d8eedade91e163de979278d422f90ed782f74aba1c9ff
Instruction ID: 03584ffc534bed83918abfb92d45aab2c8ed75f16b34326e48a92c1eb7a4d3e6
Opcode Fuzzy Hash: 7dffea95af215f97728d8eedade91e163de979278d422f90ed782f74aba1c9ff
Instruction Fuzzy Hash: 48415771D5521D9FDF12EFA4D981AED77B8AF08380F1000E6E545EB142EA34A6D4CF50

Function 00292DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00292E1C
GetWindowLongW.USER32(?,000000F0), ref: 00292E4F
GetWindowLongW.USER32(?,000000F0), ref: 00292E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00292EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00292EE0
GetWindowLongW.USER32(?,000000F0), ref: 00292EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00292F0B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 61a31b96192e944f411042143a53bf1fef2218ad92a5d1b931aab5bf4f861c63
Instruction ID: 1b99c32d0bc19f27d6f0ef58f22fcafd25b0b2c268b8cccb3b18a158d15661ea
Opcode Fuzzy Hash: 61a31b96192e944f411042143a53bf1fef2218ad92a5d1b931aab5bf4f861c63
Instruction Fuzzy Hash: E9312335A15151EFDF21CF18ECD8FA537A4EB8A710F140065F9409B2B2CB60BC649B10

Function 00267726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0026778F
SysAllocString.OLEAUT32(00000000), ref: 00267792
SysAllocString.OLEAUT32(?), ref: 002677B0
SysFreeString.OLEAUT32(?), ref: 002677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002677DE
SysAllocString.OLEAUT32(?), ref: 002677EC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c290443c48ad1123c797c2942e8a9b60c2a82a9716a16dfe0b9e3b3dbbd6c640
Instruction ID: 9d5c3bbcfc84a9dfa5145f709c32d9697506e9f7efc82d9a62cfb0a0c61fae8a
Opcode Fuzzy Hash: c290443c48ad1123c797c2942e8a9b60c2a82a9716a16dfe0b9e3b3dbbd6c640
Instruction Fuzzy Hash: CB21D676618219AFDF11EFA8ED88CBBB7ECEB093687148026F914DB150D674DC818B64

Function 002677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00267868
SysAllocString.OLEAUT32(00000000), ref: 0026786B
SysAllocString.OLEAUT32 ref: 0026788C
SysFreeString.OLEAUT32 ref: 00267895
StringFromGUID2.OLE32(?,?,00000028), ref: 002678AF
SysAllocString.OLEAUT32(?), ref: 002678BD

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 555a765afd3881a548870f72156f77e82a4f2699031f87788c3c36dee9f7eb4c
Instruction ID: 028f68fbf32979ad94a2c7d2bb51b53dd7ceac1de655216134c387d5725101dc
Opcode Fuzzy Hash: 555a765afd3881a548870f72156f77e82a4f2699031f87788c3c36dee9f7eb4c
Instruction Fuzzy Hash: 36218331618205AFDF10AFB8EC8CDBA77ECEB097647208125F915CB2A1D670DC91DB64

Function 002704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0027052E

Strings

nul, xrefs: 00270567

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cebd83e7f8d1f2ef9a74994b696572de563c3bfb8cc83161f1e2dc703e72b671
Instruction ID: ffcc8db309baecbae283d07fff7631dadbf4c75f3aff8a9af816cbbb4917ff30
Opcode Fuzzy Hash: cebd83e7f8d1f2ef9a74994b696572de563c3bfb8cc83161f1e2dc703e72b671
Instruction Fuzzy Hash: 59217475920306DFDB209F29DC88A5A77B4BF44724F608A19F8A5D72E0D7709968CF20

Function 002705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00270601

Strings

nul, xrefs: 00270639

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e26f6e4cc217c19acb54042327fb92d6429898cfa63d6bd4bafdeeae8bd594b0
Instruction ID: afcd86e6047930d5fc77053945af4f45985f41e23860b2a836ea108dd6bb9caa
Opcode Fuzzy Hash: e26f6e4cc217c19acb54042327fb92d6429898cfa63d6bd4bafdeeae8bd594b0
Instruction Fuzzy Hash: 9121B575510306DBDB209F69DC94A5A77E8BF85720F208B1AFCA5E72D0D7B09874CB20

Function 002940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
Part of subcall function 0020600E: GetStockObject.GDI32(00000011), ref: 00206060
Part of subcall function 0020600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00294112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0029411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0029412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00294139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00294145

Strings

Msctls_Progress32, xrefs: 002940E3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8486173a11265a30346fbf1cc3034a585bed54784ff04f20866dff5e97335287
Instruction ID: bfc928d075c3bdd5951d175d84737ff923e79abbe9ecebe51ef131c7c5a5c52c
Opcode Fuzzy Hash: 8486173a11265a30346fbf1cc3034a585bed54784ff04f20866dff5e97335287
Instruction Fuzzy Hash: 5C11B2B215021ABEFF119F64CC85EE77F5DEF09798F004111BA18A2090C6729C31DBA4

Function 0023D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0023D7A3: _free.LIBCMT ref: 0023D7CC

_free.LIBCMT ref: 0023D82D

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023D838
_free.LIBCMT ref: 0023D843
_free.LIBCMT ref: 0023D897
_free.LIBCMT ref: 0023D8A2
_free.LIBCMT ref: 0023D8AD
_free.LIBCMT ref: 0023D8B8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 55137dc936421f38ba08708b797a44cb7214c60cae8e99b732186d554bc01a85
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 611151B1960B14EAD521BFB0EC47FCBBBDC6F00700F400825B699A6192DA65B5254E50

Function 0026DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0026DA74
LoadStringW.USER32(00000000), ref: 0026DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0026DA91
LoadStringW.USER32(00000000), ref: 0026DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0026DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0026DAB9

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 732f966f55684d88f56d0ecc4f6a7f8cf3e1594262337eb5efc9482995ad5942
Instruction ID: 4cb0417765d89ee55769c09894293d6240c7969499d1beaded8a19a7941a3f5d
Opcode Fuzzy Hash: 732f966f55684d88f56d0ecc4f6a7f8cf3e1594262337eb5efc9482995ad5942
Instruction Fuzzy Hash: 870162F29142087FEB10DBE4AD8DEE7766CEB08301F500497B746E2041EA749E844F74

Function 0027096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0141E140,0141E140), ref: 0027097B
EnterCriticalSection.KERNEL32(0141E120,00000000), ref: 0027098D
TerminateThread.KERNEL32(?,000001F6), ref: 0027099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002709A9
CloseHandle.KERNEL32(?), ref: 002709B8
InterlockedExchange.KERNEL32(0141E140,000001F6), ref: 002709C8
LeaveCriticalSection.KERNEL32(0141E120), ref: 002709CF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ffb467ffe08306f70b6412416a5740ce87c69a4d04112d67b05cf05324eaaceb
Instruction ID: ff90028451c412b349333f639339ca3ab684b8ce721a740e7cb6d150345570eb
Opcode Fuzzy Hash: ffb467ffe08306f70b6412416a5740ce87c69a4d04112d67b05cf05324eaaceb
Instruction Fuzzy Hash: 43F0CD31442912EBD7515FA4EE8DAD67A25BF05702F901026F601508A1C775A475CFA4

Function 00281C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00281DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00281DE1
WSAGetLastError.WSOCK32 ref: 00281DF2
htons.WSOCK32(?,?,?,?,?), ref: 00281EDB
inet_ntoa.WSOCK32(?), ref: 00281E8C

Part of subcall function 002639E8: _strlen.LIBCMT ref: 002639F2

Part of subcall function 00283224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0027EC0C), ref: 00283240

_strlen.LIBCMT ref: 00281F35

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 0d9967fb4b816c3d7bf6714af3948f5f7a08d114298a0c7a55032a8749a9b7db
Instruction ID: ceefc5d3f14aa9d2630367f87e082296c5b03f4dfd6a689bddab4d9a4e69e773
Opcode Fuzzy Hash: 0d9967fb4b816c3d7bf6714af3948f5f7a08d114298a0c7a55032a8749a9b7db
Instruction Fuzzy Hash: 7FB1D134214301AFC324EF24C885E2A7BE9AF94318F54894CF5565B2E3DB71EDA2CB91

Function 00205D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00205D30
GetWindowRect.USER32(?,?), ref: 00205D71
ScreenToClient.USER32(?,?), ref: 00205D99
GetClientRect.USER32(?,?), ref: 00205ED7
GetWindowRect.USER32(?,?), ref: 00205EF8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a9e506894cce9127a232ff4f8ff5779459c0782c1aed99df71d79fe32e36e78b
Instruction ID: 18ff8d19465dd34946a9b0005d65c6d67f8612169b74ed18386918ff3ae6becd
Opcode Fuzzy Hash: a9e506894cce9127a232ff4f8ff5779459c0782c1aed99df71d79fe32e36e78b
Instruction Fuzzy Hash: 05B16A34A20B4ADBDB14DFA8C4447EAB7F1FF58310F14841AE8A9D7290DB34AA61DF50

Function 002301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002300D6
__allrem.LIBCMT ref: 002300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0023010B
__allrem.LIBCMT ref: 00230122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00230140

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2ec66ab2f6e24f4617ca530a946c3ac76555d257ac6ad620aca9e94e24465cab
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 42815AB2A20716ABE7249F78CD91B6B73F8AF41720F24413AF550D76C1E770D9208B60

Function 002361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002282D9,002282D9,?,?,?,0023644F,00000001,00000001,8BE85006), ref: 00236258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0023644F,00000001,00000001,8BE85006,?,?,?), ref: 002362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002363D8
__freea.LIBCMT ref: 002363E5

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

__freea.LIBCMT ref: 002363EE
__freea.LIBCMT ref: 00236413

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fca6f3fe5332b4bf7b7633487996f90805860d20a302c46f2b4c5a42eaa038dc
Instruction ID: 6377692ffc90f60b07327207322f2e3d3dc1db9d8e71c6cbb0b8bc7fb5bd7e0e
Opcode Fuzzy Hash: fca6f3fe5332b4bf7b7633487996f90805860d20a302c46f2b4c5a42eaa038dc
Instruction Fuzzy Hash: A551E3B2A20217BBDB258FA4DC89EBF77ADEB44B10F158669FD05D6140DB34DC60CA60

Function 0028BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028BD25
RegCloseKey.ADVAPI32(00000000), ref: 0028BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0028BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0028BDF3
RegCloseKey.ADVAPI32(?), ref: 0028BDFF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3caf638c3a48096f0eabd0f50bfedf65efe0f27538e512be8a5e6f31614c1a65
Instruction ID: 4e72a214fbef1c028f2079a3c4cfce09aeed313a97c09375879aa4d11edddacb
Opcode Fuzzy Hash: 3caf638c3a48096f0eabd0f50bfedf65efe0f27538e512be8a5e6f31614c1a65
Instruction Fuzzy Hash: E0819B34228241AFD715EF24C885E2ABBE5FF84308F14855DF4594B2A2CB31ED55CB92

Function 0025F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0025F7B9
SysAllocString.OLEAUT32(00000001), ref: 0025F860
VariantCopy.OLEAUT32(0025FA64,00000000), ref: 0025F889
VariantClear.OLEAUT32(0025FA64), ref: 0025F8AD
VariantCopy.OLEAUT32(0025FA64,00000000), ref: 0025F8B1
VariantClear.OLEAUT32(?), ref: 0025F8BB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: addf42f2e79f1b27763fdb99ee3f0967704e3ee08928831b690991a5d7135bf4
Instruction ID: ed94fb1a76cc77b72f308c236dccd85f1e93fd006a45e9f86a2ac984e192904f
Opcode Fuzzy Hash: addf42f2e79f1b27763fdb99ee3f0967704e3ee08928831b690991a5d7135bf4
Instruction Fuzzy Hash: 8851D931630310ABCF90AF65D995B29B3A8EF45312B245467ED05DF292DB708CA4CB5A

Function 0027910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002794E5
_wcslen.LIBCMT ref: 00279506
_wcslen.LIBCMT ref: 0027952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00279585

Strings

X, xrefs: 00279412

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3c10ff82f93e9ae5a7c7b275098f6b8dfe259c2d3f464d39b16e632854d3ee8b
Instruction ID: 20d93f676d4f2e047267c755e844e50046a74681f22c6732ad5326cc74ec3386
Opcode Fuzzy Hash: 3c10ff82f93e9ae5a7c7b275098f6b8dfe259c2d3f464d39b16e632854d3ee8b
Instruction Fuzzy Hash: AAE1D3315283518FC724EF24C881A6AB7E4FF85314F04896DF8899B2A2DB30DD95CF92

Function 0021920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

BeginPaint.USER32(?,?,?), ref: 00219241
GetWindowRect.USER32(?,?), ref: 002192A5
ScreenToClient.USER32(?,?), ref: 002192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002192D3
EndPaint.USER32(?,?,?,?,?), ref: 00219321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002571EA

Part of subcall function 00219339: BeginPath.GDI32(00000000), ref: 00219357

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 356c92a20ea1115673d82f258e244b3dc1578801094514999741baa6b14402e1
Instruction ID: fba255d965e0fa0df06b6127249dbfd0fab281992bedf365ca47a9361980fc6d
Opcode Fuzzy Hash: 356c92a20ea1115673d82f258e244b3dc1578801094514999741baa6b14402e1
Instruction Fuzzy Hash: 5A41EF30115201AFD710DF24ECA8FEA7BE8EF55320F14026AF968872A1C7309CA5DB61

Function 002707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0027080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00270847
EnterCriticalSection.KERNEL32(?), ref: 00270863
LeaveCriticalSection.KERNEL32(?), ref: 002708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00270921

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: dda34aebc38fb61445b7bd01d1d3cf44803adbcb4c2f159a942edfd1b4e48a50
Instruction ID: 35b5bb286c6d2e61699d1f84a7fa9dd078a2d9bdc2c75322af44b474e6d0c346
Opcode Fuzzy Hash: dda34aebc38fb61445b7bd01d1d3cf44803adbcb4c2f159a942edfd1b4e48a50
Instruction Fuzzy Hash: 4A416871A10205EFDF14AF54EC85AAA77B8FF04300F1480A5ED049A29BDB70DE64DBA4

Function 002981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0025F3AB,00000000,?,?,00000000,?,0025682C,00000004,00000000,00000000), ref: 0029824C
EnableWindow.USER32(?,00000000), ref: 00298272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002982D1
ShowWindow.USER32(?,00000004), ref: 002982E5
EnableWindow.USER32(?,00000001), ref: 0029830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0029832F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: aed7596a581cf31bf7a25bf45ccae85217d0664642cb00a2be2f4e13f11380f2
Instruction ID: a9381927f95995e968fe7768548a34e3e5e80c4727d89b5def12acc6f8ac0cd3
Opcode Fuzzy Hash: aed7596a581cf31bf7a25bf45ccae85217d0664642cb00a2be2f4e13f11380f2
Instruction Fuzzy Hash: D3418434A01685AFDF15CF15D899BF47BE1BB4B714F1C41AAE9084B262CB31AC61CB54

Function 00264C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00264C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00264CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00264CEA
_wcslen.LIBCMT ref: 00264D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00264D10
_wcsstr.LIBVCRUNTIME ref: 00264D1A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 411883b81a380a65c35adeb876c50573bec3ca3c9d80cee94a8ae6150affe36a
Instruction ID: a8b957a6571d1c812396dd9b8dd82bbd6257fe968e9a7ee4254ddd61c79ddd44
Opcode Fuzzy Hash: 411883b81a380a65c35adeb876c50573bec3ca3c9d80cee94a8ae6150affe36a
Instruction Fuzzy Hash: FF213B32614201BBEB196F35EC49E7F7BDCDF45750F10403AF805CA191DA61DCA0D6A0

Function 0027581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00203AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00203A97,?,?,00202E7F,?,?,?,00000000), ref: 00203AC2

_wcslen.LIBCMT ref: 0027587B
CoInitialize.OLE32(00000000), ref: 00275995
CoCreateInstance.OLE32(0029FCF8,00000000,00000001,0029FB68,?), ref: 002759AE
CoUninitialize.OLE32 ref: 002759CC

Strings

.lnk, xrefs: 00275876, 002758C1, 00275985

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 15402c81334bb7730c188d0d51ac5d2e2fa771c2a66fd04673cf6a94a4927196
Instruction ID: c734a2951abe96e8d21f514a1af01f8830fbc28ecc2e7942c34062274bf3467d
Opcode Fuzzy Hash: 15402c81334bb7730c188d0d51ac5d2e2fa771c2a66fd04673cf6a94a4927196
Instruction Fuzzy Hash: C6D15270624712DFC714DF24C484A2ABBE1EF89314F14885DF88A9B3A2DB71EC55CB92

Function 0026175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00260FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00260FCA
Part of subcall function 00260FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00260FD6
Part of subcall function 00260FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00260FE5
Part of subcall function 00260FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00260FEC
Part of subcall function 00260FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00261002

GetLengthSid.ADVAPI32(?,00000000,00261335), ref: 002617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002617BA
HeapAlloc.KERNEL32(00000000), ref: 002617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002617DA
GetProcessHeap.KERNEL32(00000000,00000000,00261335), ref: 002617EE
HeapFree.KERNEL32(00000000), ref: 002617F5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c751e22dcca042c2293f5829e7d13df12ea0924f979a7c82b1b53c279a80338b
Instruction ID: f1ccfcac824d004210253ca1da8368ebab47bf2919e377f5f55880751fb810e7
Opcode Fuzzy Hash: c751e22dcca042c2293f5829e7d13df12ea0924f979a7c82b1b53c279a80338b
Instruction Fuzzy Hash: AE11E231520206FFDB119FA4DC49FAFBBB9EF45355F284029F4459B210D735AAA0CBA0

Function 002614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00261506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00261515
CloseHandle.KERNEL32(00000004), ref: 00261520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0026154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00261563

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 45eeb34148aa68d5d28ce6d56abdc7d2142f7054fd6d865bb6235b8cef5387a3
Instruction ID: 3cac5aba750a9e5552a5eb050730850109012b1d33ddec74c52fb3a777f4f6a5
Opcode Fuzzy Hash: 45eeb34148aa68d5d28ce6d56abdc7d2142f7054fd6d865bb6235b8cef5387a3
Instruction Fuzzy Hash: D7113A7250120EABDF119FA8EE49FDE7BA9EF48744F184055FA05A2060C375DEA0DB61

Function 00223382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00223379,00222FE5), ref: 00223390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0022339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002233B7
SetLastError.KERNEL32(00000000,?,00223379,00222FE5), ref: 00223409

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2e8af743786a458fac122f56a58b7e4ef679d952e67df588f3fe5a00e99d472b
Instruction ID: 498fdeee2f69e65951c14025709a4902c53ce91a67844879ac8c813bc3281ede
Opcode Fuzzy Hash: 2e8af743786a458fac122f56a58b7e4ef679d952e67df588f3fe5a00e99d472b
Instruction Fuzzy Hash: B0012832238332BEA614BBF47C899762A98EB057757300269F410801F0EF154E329988

Function 00232D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00235686,00243CD6,?,00000000,?,00235B6A,?,?,?,?,?,0022E6D1,?,002C8A48), ref: 00232D78
_free.LIBCMT ref: 00232DAB
_free.LIBCMT ref: 00232DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0022E6D1,?,002C8A48,00000010,00204F4A,?,?,00000000,00243CD6), ref: 00232DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0022E6D1,?,002C8A48,00000010,00204F4A,?,?,00000000,00243CD6), ref: 00232DEC
_abort.LIBCMT ref: 00232DF2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 39bfb3c161dd6127a48f5330396d23f33bf5715af9aad44b9b180526db88d7d0
Instruction ID: 94900ab5e88fdf8e39134279a70cf0c5495d033146d747cafa3f0cefc4ebfb1d
Opcode Fuzzy Hash: 39bfb3c161dd6127a48f5330396d23f33bf5715af9aad44b9b180526db88d7d0
Instruction Fuzzy Hash: EDF028B1535605EBC2123B34BC0AF1B2559AFC27A0F34045AF828922E2EE708C3A5520

Function 00298A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00219639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196A2
Part of subcall function 00219639: BeginPath.GDI32(?), ref: 002196B9
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00298A4E
LineTo.GDI32(?,00000003,00000000), ref: 00298A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00298A70
LineTo.GDI32(?,00000000,00000003), ref: 00298A80
EndPath.GDI32(?), ref: 00298A90
StrokePath.GDI32(?), ref: 00298AA0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 72391f6df5d3b5fccb4f58a4dba5373120b80d27dcd79b56b71725a6cac81b52
Instruction ID: 41ddbd880f125183e80b51225999d3f5780b77d705cbdbeb74c58d6d606edd34
Opcode Fuzzy Hash: 72391f6df5d3b5fccb4f58a4dba5373120b80d27dcd79b56b71725a6cac81b52
Instruction Fuzzy Hash: D2110976000149FFDF129F90EC88EEA7F6DEB08350F148012FA199A1A1C7719D65DFA0

Function 002651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00265218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00265229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00265230
ReleaseDC.USER32(00000000,00000000), ref: 00265238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0026524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00265261

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0c91e4b001f4d0ca1aef9396cfadf1cd8fa641c6866cc8dd7df0aa8e82b19fce
Instruction ID: 31f6457b7628f26114b768d1ec513bc377b40d0695b5bfb2b7b5391bc35de128
Opcode Fuzzy Hash: 0c91e4b001f4d0ca1aef9396cfadf1cd8fa641c6866cc8dd7df0aa8e82b19fce
Instruction Fuzzy Hash: 0F016275E00719BBEF109FA59C49E5EBFB8EF48751F144066FA04A7281D6709C10CFA0

Function 00201BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00201BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00201BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00201C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00201C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00201C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00201C22

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ff3bb8eb46e1535816a4f8892caa6c225968d967fb262f99664bb7a0acf73991
Instruction ID: d87174f940dbecd3e824e4ca31f4fdb61fbf10d3aafa3fd6d22cacd732618e96
Opcode Fuzzy Hash: ff3bb8eb46e1535816a4f8892caa6c225968d967fb262f99664bb7a0acf73991
Instruction Fuzzy Hash: AD0167B0902B5ABDE3008F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5

Function 0026EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0026EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0026EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0026EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026EB75

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 639160ba26d4ba407768260fee7d870f1e7348312614c2556323d4bd00cf58f1
Instruction ID: 545945ae881785dbff2de54a40bd4ddc3649753f41090e57ffaec2fae8b87608
Opcode Fuzzy Hash: 639160ba26d4ba407768260fee7d870f1e7348312614c2556323d4bd00cf58f1
Instruction Fuzzy Hash: 16F05E72240158BBE7215B62EC0EEEF3E7CEFCAB11F10015AF601D1091D7A05A01C6B9

Function 00257439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00257452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00257469
GetWindowDC.USER32(?), ref: 00257475
GetPixel.GDI32(00000000,?,?), ref: 00257484
ReleaseDC.USER32(?,00000000), ref: 00257496
GetSysColor.USER32(00000005), ref: 002574B0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 037d1e545685816caa5016b9f3d8df11ed66624ce235fad75037e39bf1ce91c5
Instruction ID: c8234c0f2c582b08af70960f1adeca04b8e3e428e8b415aa472d191229edf109
Opcode Fuzzy Hash: 037d1e545685816caa5016b9f3d8df11ed66624ce235fad75037e39bf1ce91c5
Instruction Fuzzy Hash: F2014B31410215EFDB515FA4EC0CBAA7BB5FB04312FA14165FD1AA21A1CB311E61AB50

Function 00261874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0026187F
UnloadUserProfile.USERENV(?,?), ref: 0026188B
CloseHandle.KERNEL32(?), ref: 00261894
CloseHandle.KERNEL32(?), ref: 0026189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002618A5
HeapFree.KERNEL32(00000000), ref: 002618AC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cecfb7ed86c8ac90e0ba1b8300c6079599e216d10c2a2733f83479e443e7a208
Instruction ID: 2668381d55c485d975060431e656ac394c82ce665641a439c73edc281d004c47
Opcode Fuzzy Hash: cecfb7ed86c8ac90e0ba1b8300c6079599e216d10c2a2733f83479e443e7a208
Instruction Fuzzy Hash: 3DE0E536004101BBDB016FA1FE0C94ABF39FF49B22B208222F22981070CB329420DF68

Function 0020BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0020BEB3

Strings

D%-, xrefs: 0020BCA2
D%-, xrefs: 0020BE9A
D%-D%-, xrefs: 0020BCA5
D%-, xrefs: 0020BDED, 0020BD91, 0020BD1B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%-$D%-$D%-$D%-D%-
API String ID: 1385522511-1171869334
Opcode ID: 00e3efd833e8018ca6b4a7034095d41f8a1cba6fb197a49dc40a47ffafc91e64
Instruction ID: cdc163256b648c07231792a5213400e74abca8dfdc9ca3e28dee56ae1dc30a32
Opcode Fuzzy Hash: 00e3efd833e8018ca6b4a7034095d41f8a1cba6fb197a49dc40a47ffafc91e64
Instruction Fuzzy Hash: 6E916B75A2030ADFCB29CF58C090AA9B7F1FF58310F64416AD941AB392D771ADA1CB90

Function 00287B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00220242: EnterCriticalSection.KERNEL32(002D070C,002D1884,?,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022024D
Part of subcall function 00220242: LeaveCriticalSection.KERNEL32(002D070C,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022028A

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

__Init_thread_footer.LIBCMT ref: 00287BFB

Part of subcall function 002201F8: EnterCriticalSection.KERNEL32(002D070C,?,?,00218747,002D2514), ref: 00220202
Part of subcall function 002201F8: LeaveCriticalSection.KERNEL32(002D070C,?,00218747,002D2514), ref: 00220235

Strings

G, xrefs: 00287C7F
5, xrefs: 00287C78
+T%, xrefs: 00287E2E
Variable must be of type 'Object'., xrefs: 00287C3A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T%$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2187542652
Opcode ID: 71b433806c7acaf1b8625626ff60ba2015fce0e849688ad88fbea9d7443be342
Instruction ID: 8ddf2989590a2623cd45d5f87f0b79f6ae24b564e2cece9352dcbd0f0a44ac2d
Opcode Fuzzy Hash: 71b433806c7acaf1b8625626ff60ba2015fce0e849688ad88fbea9d7443be342
Instruction Fuzzy Hash: 28917E78A25209EFCB14EF54D891DADB7B1FF45300F60805AF8069B292DB71EE61CB51

Function 0026C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026C6EE
_wcslen.LIBCMT ref: 0026C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0026C7CA

Strings

0, xrefs: 0026C6AF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 047004b6bbdfa3719d49fb312190393d308313a7801875a640adda88fc0afb5f
Instruction ID: 9fcf6455bb8ed4adc80cbb49b5a02f7a483f3dbad4d3528fa358d6dd8fc422a5
Opcode Fuzzy Hash: 047004b6bbdfa3719d49fb312190393d308313a7801875a640adda88fc0afb5f
Instruction Fuzzy Hash: 1B51E0716243029BD712AF28C885A7AB7E8AB85314F240A2AF5E5D31D1DB60DCA48F56

Function 0028AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0028AEA3

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

GetProcessId.KERNEL32(00000000), ref: 0028AF38
CloseHandle.KERNEL32(00000000), ref: 0028AF67

Strings

@, xrefs: 0028AE72
<, xrefs: 0028AE6B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4b55f2f7ddd9b6710202c5e9a279bf400842d4b1f04b93e2319018fc6df7fdf6
Instruction ID: ad7168f954805dea8fb1d55313d4d5a507b2f5615b83efb66a4bd1fa54e8a22f
Opcode Fuzzy Hash: 4b55f2f7ddd9b6710202c5e9a279bf400842d4b1f04b93e2319018fc6df7fdf6
Instruction Fuzzy Hash: E7717974A10615DFDB14EF54C484A9EBBF0BF08310F0484AAE816AB7A2CB75ED91CF91

Function 0026719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00267206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0026723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0026724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002672CF

Strings

DllGetClassObject, xrefs: 00267242

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: cfcd329648fb2ff5d952ae03b1eded2d827412db3cb21ad80bf385581e6d959f
Instruction ID: 3202e08c1204e2c86e84e2b889e02eb842275f7ec519ab05436eb9716efb6435
Opcode Fuzzy Hash: cfcd329648fb2ff5d952ae03b1eded2d827412db3cb21ad80bf385581e6d959f
Instruction Fuzzy Hash: 91418171614204EFDB15CF64D894B9A7BB9EF44318F2480AEFD099F24AD7B0D994CBA0

Function 00293D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00293E35
IsMenu.USER32(?), ref: 00293E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00293E92
DrawMenuBar.USER32 ref: 00293EA5

Strings

0, xrefs: 00293D89

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b96090586a74daafc6aea66aae092aaeb9d9f7847245ce4a2f94a57c43ce1678
Instruction ID: 0986db0a8ad6949530bbe584a4308937ef2b4724a6892ebb8da921a0a6284ef7
Opcode Fuzzy Hash: b96090586a74daafc6aea66aae092aaeb9d9f7847245ce4a2f94a57c43ce1678
Instruction Fuzzy Hash: 91413775A2120AEFDF10DF50E884AEABBB9FF49354F14412AE945A7250D730AE64CF60

Function 00261DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 00263CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00263CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00261E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00261E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00261EA9

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Strings

ListBox, xrefs: 00261E25
ComboBox, xrefs: 00261DF0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 9a5f08194c6b3438ff81a22e2e0e91587cdbe0c1e135cb0dfc05633b5ec0e043
Instruction ID: 0cfefd1830914d81f4b5adfaead2b7f48648a826b807ba5e035056e7c8dca26a
Opcode Fuzzy Hash: 9a5f08194c6b3438ff81a22e2e0e91587cdbe0c1e135cb0dfc05633b5ec0e043
Instruction Fuzzy Hash: 3B214971A20104BEDB189F60DC49CFFB7B8DF45350B14411AF821A31E2DB359DB59A20

Function 00292F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00292F8D
LoadLibraryW.KERNEL32(?), ref: 00292F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00292FA9
DestroyWindow.USER32(?), ref: 00292FB1

Strings

SysAnimate32, xrefs: 00292F68

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 145b21f1933badbdb74b6aae56769ff73893a6de12b7e1f066cd804ba0b176c0
Instruction ID: 720b3368de4479aedf13bef1179c599063685ee41fe52773ffad3b23ba81f72a
Opcode Fuzzy Hash: 145b21f1933badbdb74b6aae56769ff73893a6de12b7e1f066cd804ba0b176c0
Instruction Fuzzy Hash: 4B21AC72220206FBEF108F64DC84EBB37BDEB59364F100619F954D2590D771DC659B60

Function 00224D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00224D1E,002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002), ref: 00224D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00224DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00224D1E,002328E9,?,00224CBE,002328E9,002C88B8,0000000C,00224E15,002328E9,00000002,00000000), ref: 00224DC3

Strings

mscoree.dll, xrefs: 00224D86
CorExitProcess, xrefs: 00224D98

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d38a92c3a65193b57ae0bad22d91da536c2a782dc53ee1a52cdcb1fae4174bc2
Instruction ID: 7d999542bca3ef08fefd64b8e838484e6e671afaa831c4319b26ad3d617a50b5
Opcode Fuzzy Hash: d38a92c3a65193b57ae0bad22d91da536c2a782dc53ee1a52cdcb1fae4174bc2
Instruction Fuzzy Hash: AAF04F34A50219BBDB159F90EC4DBADBBB5EF44751F5001A5F909A2260CB305E50CA94

Function 0025D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0025D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0025D3BF
FreeLibrary.KERNEL32(00000000), ref: 0025D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0025D3B9
X64, xrefs: 0025D2A8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 09ca670627ac160d8b8e8a1ec72de63a4c5e9d2ba2e500c1b9c95ff17bcb3653
Instruction ID: 75be6c6a261e85b6938122070a1ac8536c7c379f44bc7ff4a6bcc251bb3a3421
Opcode Fuzzy Hash: 09ca670627ac160d8b8e8a1ec72de63a4c5e9d2ba2e500c1b9c95ff17bcb3653
Instruction Fuzzy Hash: 65F05C31835612EBD7715B209C0C9593314AF10703F644596FC06E2115D7B0CDF8CE9E

Function 00204E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00204EAE
FreeLibrary.KERNEL32(00000000,?,?,00204EDD,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204EC0

Strings

kernel32.dll, xrefs: 00204E94
Wow64DisableWow64FsRedirection, xrefs: 00204EA8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b75fac30c5bdfb1241e2577399f3e1b6dec8a2e188a96f62dfbb4e1169fe456f
Instruction ID: 2e7e06f7c148e8b0539e1ed845da6b273701c048ef7615ae4fdefda38ba2f056
Opcode Fuzzy Hash: b75fac30c5bdfb1241e2577399f3e1b6dec8a2e188a96f62dfbb4e1169fe456f
Instruction Fuzzy Hash: F8E08675A116235BD3222B25FC1CB5B6554AF82B627154116FD08D2151DB60CD1240E4

Function 00204E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00204E74
FreeLibrary.KERNEL32(00000000,?,?,00243CDE,?,002D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00204E87

Strings

kernel32.dll, xrefs: 00204E5B
Wow64RevertWow64FsRedirection, xrefs: 00204E6E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3b6903f7d69c6321de231f3f83db75888ba9dec13778506db180c1c9d49e4c8c
Instruction ID: 75d823ae69fd9b498e55bd0854aae1afa45c2ec77476492d969ce3c1b7f22e6e
Opcode Fuzzy Hash: 3b6903f7d69c6321de231f3f83db75888ba9dec13778506db180c1c9d49e4c8c
Instruction Fuzzy Hash: 63D0C231522722578B222F24FC1CE8B6A18AF86B51355861ABA0CA2191CF20CD21C1E4

Function 00272947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272C05
DeleteFileW.KERNEL32(?), ref: 00272C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00272C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00272CC0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b47f0cc043d9d8988a8e3442cfac3a3110b10caecef12364be953676e2efa303
Instruction ID: 9279604e775c0b2ad73c751af59c3670c4328e316e2e9fd375a6601fb0a47d16
Opcode Fuzzy Hash: b47f0cc043d9d8988a8e3442cfac3a3110b10caecef12364be953676e2efa303
Instruction Fuzzy Hash: 02B15F71D20129EBDF15DFA4CC85EDEB7BDEF49350F1080AAF909E6141EA309A588F61

Function 0028A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0028A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0028A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0028A468
CloseHandle.KERNEL32(?), ref: 0028A63D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 13f53502107fa69c18933495ac55009de79e873364d49b3b2ccd470d0475814f
Instruction ID: 965dd1938ee984e92d08e6e045fa6367e298b14af1f130c00a817ee2dd9c26a5
Opcode Fuzzy Hash: 13f53502107fa69c18933495ac55009de79e873364d49b3b2ccd470d0475814f
Instruction Fuzzy Hash: A7A1D3B56143019FE720EF28C886F2AB7E5AF44714F14885DF55A9B2D2DBB0EC508F92

Function 0023BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002A3700), ref: 0023BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0023BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002D1270,000000FF,?,0000003F,00000000,?), ref: 0023BC36
_free.LIBCMT ref: 0023BB7F

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023BD4B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 8c6c55dd711bb590da71b1bfa84e507b35f453635d5f0926268a58bb85556a23
Instruction ID: d58ab5af3ceb3aa4379e815f5c1f8af718bc56533e11d9cb2a91e877be0e342c
Opcode Fuzzy Hash: 8c6c55dd711bb590da71b1bfa84e507b35f453635d5f0926268a58bb85556a23
Instruction Fuzzy Hash: 7D51EAB1D10219EFCB21EF65AC8596EB7BCEF41310F1006ABEA54D7291EB705E61CB50

Function 0026E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026CF22,?), ref: 0026DDFD

Part of subcall function 0026DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026CF22,?), ref: 0026DE16

Part of subcall function 0026E199: GetFileAttributesW.KERNEL32(?,0026CF95), ref: 0026E19A

lstrcmpiW.KERNEL32(?,?), ref: 0026E473
MoveFileW.KERNEL32(?,?), ref: 0026E4AC
_wcslen.LIBCMT ref: 0026E5EB
_wcslen.LIBCMT ref: 0026E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0026E650

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 7a0138585e07fb6760137daa1ba608e22f8ab8c87293b1e4e4fd9ffe51f6c3c3
Instruction ID: 4c032bf00e88db53b6650d071f6ccbc1cd89b9698a3c0a642b4bb8cf0c52140d
Opcode Fuzzy Hash: 7a0138585e07fb6760137daa1ba608e22f8ab8c87293b1e4e4fd9ffe51f6c3c3
Instruction Fuzzy Hash: 275176B65183855BCB24EFA0D8819DB73DC9F85340F00491EF689D3192EF74A5D88B56

Function 0028B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 0028C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028B6AE,?,?), ref: 0028C9B5
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028C9F1
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA68
Part of subcall function 0028C998: _wcslen.LIBCMT ref: 0028CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0028BB63
RegCloseKey.ADVAPI32(?,?), ref: 0028BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0028BBB3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 383050107755d9fcbee5520c721d7835b3a67abedf3362f1c13379ad0a49963f
Instruction ID: 4df43541345b575ae6d522b23f467c2731c281a5cca093b5c7526d0638327300
Opcode Fuzzy Hash: 383050107755d9fcbee5520c721d7835b3a67abedf3362f1c13379ad0a49963f
Instruction Fuzzy Hash: 9C61CE34229241AFD315EF14C490E2ABBE4FF84308F54855DF49A8B2E2CB31ED55CB92

Function 00268BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00268BCD
VariantClear.OLEAUT32 ref: 00268C3E
VariantClear.OLEAUT32 ref: 00268C9D
VariantClear.OLEAUT32(?), ref: 00268D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00268D3B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f3030eb037d2d93b7acc8981aa300c562e1cbd683a53eb77e92daa0fd8f91bfb
Instruction ID: 3464d8f48611f80be19aaf5a44fe0dac4c4991471b297ef569285a16dfddc7ab
Opcode Fuzzy Hash: f3030eb037d2d93b7acc8981aa300c562e1cbd683a53eb77e92daa0fd8f91bfb
Instruction Fuzzy Hash: 99516CB5A10219EFCB14CF68D884AAAB7F8FF89310B158559E905DB350E730E961CFA0

Function 00278AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00278BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00278BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00278C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00278C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00278C5F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 94f319ec84f5a386056c24695fe90e5c5eb062604e8f172b873915b4ce30d7cf
Instruction ID: 88d7278c6062cd875df221866682f83c64ea70e735e397b57ff9cc3712824657
Opcode Fuzzy Hash: 94f319ec84f5a386056c24695fe90e5c5eb062604e8f172b873915b4ce30d7cf
Instruction Fuzzy Hash: 6C514975A102159FCB05DF64C885AAABBF5FF48314F08C459E849AB3A2CB31ED61CF90

Function 00288EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00288F40
GetProcAddress.KERNEL32(00000000,?), ref: 00288FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00288FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00289032
FreeLibrary.KERNEL32(00000000), ref: 00289052

Part of subcall function 0021F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00271043,?,7529E610), ref: 0021F6E6
Part of subcall function 0021F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0025FA64,00000000,00000000,?,?,00271043,?,7529E610,?,0025FA64), ref: 0021F70D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 8250520ccb9a84d7dec12929b2a957e7a714549a0b536b6f8103fd8fb6324cfa
Instruction ID: 15618c2d3e623695168d05ce23a21bcee59a6e8af354a056764f74899cc826be
Opcode Fuzzy Hash: 8250520ccb9a84d7dec12929b2a957e7a714549a0b536b6f8103fd8fb6324cfa
Instruction Fuzzy Hash: C4519F38611205DFC711EF68C4848ADBBF1FF49314B588099E90AAB7A2CB31ED95CF90

Function 00296B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00296C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00296C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00296C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0027AB79,00000000,00000000), ref: 00296C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00296CC7

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b958da1ac36f4a286d4b29c97c963a94508509eba6110902a2b6a3e0e7eb9eb4
Instruction ID: 6a0dbb47397573a09da00716ce898a6f2b9947ac3e0949b2fb4a95f2c2600626
Opcode Fuzzy Hash: b958da1ac36f4a286d4b29c97c963a94508509eba6110902a2b6a3e0e7eb9eb4
Instruction Fuzzy Hash: 8E41D435A24105AFDF24CF68CC5CFA97BE5EB09360F15022AF899A72E0D371ED61CA50

Function 00232051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002320C3
_free.LIBCMT ref: 002320E3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c22fc7e423b24f0368d1d20a3fedc1c0c5fba201e117a76fe5ed287324e1baae
Instruction ID: 075143f62c3a6cc931c8765247a2174d1806c28c981057152637e20171801be0
Opcode Fuzzy Hash: c22fc7e423b24f0368d1d20a3fedc1c0c5fba201e117a76fe5ed287324e1baae
Instruction Fuzzy Hash: 5641F3B2A20200EFCB24DF78C980A5EB3F5EF88714F2545A8E519EB352D731AD15CB80

Function 0021912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00219141
ScreenToClient.USER32(00000000,?), ref: 0021915E
GetAsyncKeyState.USER32(00000001), ref: 00219183
GetAsyncKeyState.USER32(00000002), ref: 0021919D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7a5308ec6a9e2f23904ef7c75d7d921ff9eb4a9212ff0ce93c4e5500cea6a2e8
Instruction ID: dee9cb743bebbba687dd4b00b6d95388e99ec8c354a8a3475b64aef6cd48ca46
Opcode Fuzzy Hash: 7a5308ec6a9e2f23904ef7c75d7d921ff9eb4a9212ff0ce93c4e5500cea6a2e8
Instruction Fuzzy Hash: 39417F7191850BFBDF059F64D858BEEB7B4FB05320F208216E829A2290C77069E4CF51

Function 00273874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00273922
TranslateMessage.USER32(?), ref: 0027394B
DispatchMessageW.USER32(?), ref: 00273955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00273966

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f39bc613373f49df62157254e6b4db4a6dabd38873d316931897de3c505f3f7e
Instruction ID: 7f0441f9ecb155bb65bfad5e40f6c82160da1b62c79d8728a277c44712bb149d
Opcode Fuzzy Hash: f39bc613373f49df62157254e6b4db4a6dabd38873d316931897de3c505f3f7e
Instruction Fuzzy Hash: B0310B70925383EEEB35CF34E80CBB637A8AB05300F14855ED55AC2590D3F09AA4EB11

Function 0027CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0027CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0027C21E,00000000), ref: 0027CFF2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 29493a8265be7571a0a2c001e1fa3a14879d5e6a30968cc884e18b011e4e9302
Instruction ID: f82d19386ffefe7dea1f9be8a4cb337f437c4cd09f6afeb5f976f4bbc43629e4
Opcode Fuzzy Hash: 29493a8265be7571a0a2c001e1fa3a14879d5e6a30968cc884e18b011e4e9302
Instruction Fuzzy Hash: 78318E71620206EFDB20DFB5D884AABBBF9EF14310B20842FF51AD2511DB30AE50DB61

Function 00261901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00261915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002619E2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e2f227edd48fc080f75bb0aa2bcd48bca7555910fa9d638419a363aae5396a55
Instruction ID: 4249b90a6dd77e31695a64a95c968f2f752ec9503967b0eda1e7a8339316dedc
Opcode Fuzzy Hash: e2f227edd48fc080f75bb0aa2bcd48bca7555910fa9d638419a363aae5396a55
Instruction Fuzzy Hash: 0C31C271910219EFCB04CFA8DD9DADE3BB5EB44315F144225F925A72D1C770A9A4CB90

Function 00295706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00295745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0029579D
_wcslen.LIBCMT ref: 002957AF
_wcslen.LIBCMT ref: 002957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00295816

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 09367af80f801e921618b8f0f2001f866403b57da78d4da4313a65c11564afe4
Instruction ID: faf2ccc5258f26574f49b711ad93f357ab2d3a5de7ae1854b90f1ac80410e7b0
Opcode Fuzzy Hash: 09367af80f801e921618b8f0f2001f866403b57da78d4da4313a65c11564afe4
Instruction Fuzzy Hash: 56218771A24629EADF219FA0DC45AEDB778FF44724F104116F929DA180D7708AA5CF50

Function 00280930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00280951
GetForegroundWindow.USER32 ref: 00280968
GetDC.USER32(00000000), ref: 002809A4
GetPixel.GDI32(00000000,?,00000003), ref: 002809B0
ReleaseDC.USER32(00000000,00000003), ref: 002809E8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0e46e1134365d9c82e26150e2f6f6cc53d98f08c8672d586ab9db1136d5cbfa5
Instruction ID: d64e5174d7ab0bc41b4e3960775927218c25a39b1cc705ffda4855919032259e
Opcode Fuzzy Hash: 0e46e1134365d9c82e26150e2f6f6cc53d98f08c8672d586ab9db1136d5cbfa5
Instruction Fuzzy Hash: C4218175610204AFD714EF69D888AAEBBE9EF48700F148069E85A977A2DB70AC54CF50

Function 0023CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0023CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0023CDE9

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0023CE0F
_free.LIBCMT ref: 0023CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0023CE31

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: da4999ffd80c60c1130a48777e63cd7d4e1bdfd0fd04d1f4ddade0961acb95bd
Instruction ID: a60624b8d73726010ace37f3bbf44da9aebb5bd7fbb4cafd90c5cb5985c62bc7
Opcode Fuzzy Hash: da4999ffd80c60c1130a48777e63cd7d4e1bdfd0fd04d1f4ddade0961acb95bd
Instruction Fuzzy Hash: 5501FCF26212157F23212A767C4CD7B796DDEC6BA1735012AFD05E7201DA618D2187B4

Function 00219639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
SelectObject.GDI32(?,00000000), ref: 002196A2
BeginPath.GDI32(?), ref: 002196B9
SelectObject.GDI32(?,00000000), ref: 002196E2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4bfafff300e03c63ce1df6126347e9402e141dd43248ddac06e9f58bf5417b24
Instruction ID: db15b7f3eaa00a7228daebd1f3ca42dc8fd60ac285eefdebb60c23c8b641ddfd
Opcode Fuzzy Hash: 4bfafff300e03c63ce1df6126347e9402e141dd43248ddac06e9f58bf5417b24
Instruction Fuzzy Hash: 42212C70922286EBDB119F64FC287E97BA8BB60365F200217F414A65A1D3709CF5CBA5

Function 00265711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00265726
_memcmp.LIBVCRUNTIME ref: 00265744
_memcmp.LIBVCRUNTIME ref: 00265757
_memcmp.LIBVCRUNTIME ref: 0026576F
_memcmp.LIBVCRUNTIME ref: 00265787

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c35e46165fbf91dcd2b28be0badafd197d45e67fbb98c098a50fccad91d9ac54
Instruction ID: 0f47b2387794a50bdcd0fbf2a9ae2aedf695fa61178bf9ae87c3587bbcc20248
Opcode Fuzzy Hash: c35e46165fbf91dcd2b28be0badafd197d45e67fbb98c098a50fccad91d9ac54
Instruction Fuzzy Hash: 2301B9616B1625BBD65999109E42FBBB35D9B353A4F004021FD04AA641F761ED7086E0

Function 00232DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0022F2DE,00233863,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6), ref: 00232DFD
_free.LIBCMT ref: 00232E32
_free.LIBCMT ref: 00232E59
SetLastError.KERNEL32(00000000,00201129), ref: 00232E66
SetLastError.KERNEL32(00000000,00201129), ref: 00232E6F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1e6652439f1252ad5e91e608c956b6369f976dff2f3743c582443a4cfc788bc8
Instruction ID: ba28bce5f5e1d890af98bcde0f3af662a7e4da394f1d309c598fc15eccd6cb2a
Opcode Fuzzy Hash: 1e6652439f1252ad5e91e608c956b6369f976dff2f3743c582443a4cfc788bc8
Instruction Fuzzy Hash: D5012DF2235601EBC6126B757C4BE2B255DABC5375F350025F825922D3EFB0EC395420

Function 0026000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?,?,0026035E), ref: 0026002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?), ref: 00260064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0025FF41,80070057,?,?), ref: 00260070

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6114173a1bacbd1644ee960802c17a6e470870005eabd52b3695ec031060b188
Instruction ID: f0386a015005561f413f755b1ceffa2902cc4693ff7fcf72407e9f7a33d9989e
Opcode Fuzzy Hash: 6114173a1bacbd1644ee960802c17a6e470870005eabd52b3695ec031060b188
Instruction Fuzzy Hash: B301A272620215BFDB114F68EC88BAB7AEDEF44791F244125F905D2210D7B1DD90ABA0

Function 0026E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0026E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0026E9A5
Sleep.KERNEL32(00000000), ref: 0026E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0026E9B7
Sleep.KERNEL32 ref: 0026E9F3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 444cd478f1aedb38cfe5d3e4dad2a5196ce9a619fe3dff12b5aa3c98bf5d02cc
Instruction ID: ce6c8c6c01c451add084ebea790e031c442d4c85e8b305b2bda45554bf155914
Opcode Fuzzy Hash: 444cd478f1aedb38cfe5d3e4dad2a5196ce9a619fe3dff12b5aa3c98bf5d02cc
Instruction Fuzzy Hash: 66015735C12629DBCF00AFE5E85DAEDBB78BF08700F120556E902B2240CB3095A48BA6

Function 002610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 0026112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00260B9B,?,?,?), ref: 00261136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0026114D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4e1ceb23e99a08c289caafd169663ea89dd67c7478e80f44a51d97d11ca74cc8
Instruction ID: 0b1b63c10fddc1efc166d923eb1ec6a429713f2aad423c1f4f40aaed1a8c7886
Opcode Fuzzy Hash: 4e1ceb23e99a08c289caafd169663ea89dd67c7478e80f44a51d97d11ca74cc8
Instruction Fuzzy Hash: 45013175100205BFDB114FA5EC4DE6A3F6EEF86360B644466FA45D7360DB31DC509A60

Function 00260FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00260FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00260FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00260FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00260FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00261002

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6b214fbbcc12c6bf053dcc2575c473edb013fc0c9cfaf5972b87519f1d050ea6
Instruction ID: 3251767191968887db474aab3a23453d8f1856257cea2e6590ff570127214e5e
Opcode Fuzzy Hash: 6b214fbbcc12c6bf053dcc2575c473edb013fc0c9cfaf5972b87519f1d050ea6
Instruction Fuzzy Hash: C2F06235100351EBDB215FA4EC4DF563B6DEF89762F644415FD49C7261CA70EC908A70

Function 00261014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0026102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00261036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0026104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261062

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 25b50366e9e076da081200e36531b4de69d1d96b7cb74ef99adccc48ff9bc2cc
Instruction ID: db2c28fef6b5d4d6b6316c5f0f159e21b064a7dd574830dc5c21447270632193
Opcode Fuzzy Hash: 25b50366e9e076da081200e36531b4de69d1d96b7cb74ef99adccc48ff9bc2cc
Instruction Fuzzy Hash: DDF06235100321EBDB215FA4EC4DF563B6DEF89761F340415FD45C7260CA70E8908A70

Function 0027030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270324
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270331
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 0027033E
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 0027034B
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270358
CloseHandle.KERNEL32(?,?,?,?,0027017D,?,002732FC,?,00000001,00242592,?), ref: 00270365

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccc7fa50f1316306eef59f1009c0b3c222c593b0c4f8fe7a06a1b5037aa2d5d7
Instruction ID: 509be07a3e872c0e1397f36be1dea457f5c83ea7abfab80b98828072c3a8ae89
Opcode Fuzzy Hash: ccc7fa50f1316306eef59f1009c0b3c222c593b0c4f8fe7a06a1b5037aa2d5d7
Instruction Fuzzy Hash: 91019072810B16DFC730AF66D8C0416F7F5BE502153158A7FD19A52931C371A968CE80

Function 0023D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0023D752

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 0023D764
_free.LIBCMT ref: 0023D776
_free.LIBCMT ref: 0023D788
_free.LIBCMT ref: 0023D79A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7f6a7102a48396d10e10c0deb6072d67a3fb6adb15df073b9b9c32700f84caea
Instruction ID: f15df19ae0b37225785fd05ca6389c88596c77b29adc1f9c46f6184b5093899d
Opcode Fuzzy Hash: 7f6a7102a48396d10e10c0deb6072d67a3fb6adb15df073b9b9c32700f84caea
Instruction Fuzzy Hash: F2F012B2564215EB8621EF64F9C6D16B7DDBB44710FB41845F048D7501C731FCA08A64

Function 00265C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00265C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00265C6F
MessageBeep.USER32(00000000), ref: 00265C87
KillTimer.USER32(?,0000040A), ref: 00265CA3
EndDialog.USER32(?,00000001), ref: 00265CBD

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2e41c77474ec0a39d0b33e9f1ce0435d0944ff815a0f41a532773b621e84bb97
Instruction ID: 3891dbbc1e7d18d1458759de7a47daaad4c8f45ef34385b2535929787d86f3c4
Opcode Fuzzy Hash: 2e41c77474ec0a39d0b33e9f1ce0435d0944ff815a0f41a532773b621e84bb97
Instruction Fuzzy Hash: 74018130510B14AFEB205F10ED4EFA67BBCBB00B05F00056BB583A10E1DBF4A9A48B90

Function 002322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002322BE

Part of subcall function 002329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000), ref: 002329DE
Part of subcall function 002329C8: GetLastError.KERNEL32(00000000,?,0023D7D1,00000000,00000000,00000000,00000000,?,0023D7F8,00000000,00000007,00000000,?,0023DBF5,00000000,00000000), ref: 002329F0

_free.LIBCMT ref: 002322D0
_free.LIBCMT ref: 002322E3
_free.LIBCMT ref: 002322F4
_free.LIBCMT ref: 00232305

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3797fecf0cc1f3a887bdc7f67b3a50853449069bac9e204decdd666f08c2ba77
Instruction ID: ab729723773d0fe5dc969c45013893506e0fe0a8491e6cc212fafbd9483732a9
Opcode Fuzzy Hash: 3797fecf0cc1f3a887bdc7f67b3a50853449069bac9e204decdd666f08c2ba77
Instruction Fuzzy Hash: 91F03AF4C22130DB8712AF54BC49A0D3B64F718760F21164BF818D26B1CB310C36AFA4

Function 002195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002195D4
StrokeAndFillPath.GDI32(?,?,002571F7,00000000,?,?,?), ref: 002195F0
SelectObject.GDI32(?,00000000), ref: 00219603
DeleteObject.GDI32 ref: 00219616
StrokePath.GDI32(?), ref: 00219631

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 61ec557291abd8b15b28df1d2ff84869c7ab202c4036eb3b78ff37948d49ae02
Instruction ID: bf30ea66885aa2819a577e4efc7c54c863f172582468549f489ff2581c6aaedc
Opcode Fuzzy Hash: 61ec557291abd8b15b28df1d2ff84869c7ab202c4036eb3b78ff37948d49ae02
Instruction Fuzzy Hash: D4F01430416289FBDB225F69FD2CBE83BA5AB10322F148216F429654F1C73089F5DF24

Function 00230F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002310F9
__freea.LIBCMT ref: 00231117

Part of subcall function 00231537: _free.LIBCMT ref: 0023154F

Strings

a/p, xrefs: 002311DE
am/pm, xrefs: 0023117A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 004ebeb0e593c18c5fbddd6992ad1059cbb6b66f8e334849e6f4c805b6fecc10
Instruction ID: 3581e63f2778e45f1b7725d4a045188c2fd23ef9e609f7192f0cb34b043cc75c
Opcode Fuzzy Hash: 004ebeb0e593c18c5fbddd6992ad1059cbb6b66f8e334849e6f4c805b6fecc10
Instruction Fuzzy Hash: 62D112B1930207DACB289F68C895BFEB7B0FF05300F284199E945AB654D7759DB0CB91

Function 002861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00220242: EnterCriticalSection.KERNEL32(002D070C,002D1884,?,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022024D
Part of subcall function 00220242: LeaveCriticalSection.KERNEL32(002D070C,?,0021198B,002D2518,?,?,?,002012F9,00000000), ref: 0022028A

Part of subcall function 002200A3: __onexit.LIBCMT ref: 002200A9

__Init_thread_footer.LIBCMT ref: 00286238

Part of subcall function 002201F8: EnterCriticalSection.KERNEL32(002D070C,?,?,00218747,002D2514), ref: 00220202
Part of subcall function 002201F8: LeaveCriticalSection.KERNEL32(002D070C,?,00218747,002D2514), ref: 00220235

Part of subcall function 0027359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002735E4
Part of subcall function 0027359C: LoadStringW.USER32(002D2390,?,00000FFF,?), ref: 0027360A

Strings

x#-, xrefs: 0028633A
x#-, xrefs: 00286353
x#-, xrefs: 0028636F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#-$x#-$x#-
API String ID: 1072379062-1822726949
Opcode ID: 31638c5dfba610da905835d8010ac64d2422ae2b73f6ae226de25dd5b274dfba
Instruction ID: b5c4cd8e3f80d845fb3a89d741a455889cd1c1ece260a2cb48912ba5744ad275
Opcode Fuzzy Hash: 31638c5dfba610da905835d8010ac64d2422ae2b73f6ae226de25dd5b274dfba
Instruction Fuzzy Hash: 0DC1A375A10206AFDB14EF58C894EBEB7B9FF48300F148059F9059B291DB74ED64CB90

Function 00235AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO , xrefs: 00235BA8, 00235C6C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-3468927494
Opcode ID: a836baac6c82113b87300151c7718744ab72fa63c1ca284c494094a95c5a305f
Instruction ID: d986b6f47e8277fc8cd0f0901c8eda0320889a0c46bcfdc46591ac1c28489d0e
Opcode Fuzzy Hash: a836baac6c82113b87300151c7718744ab72fa63c1ca284c494094a95c5a305f
Instruction Fuzzy Hash: 0851E3F1D3062AEFCB109FA4D945FEEBBB8AF05318F14055AF809A7291D77099218B61

Function 00238A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00238B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00238B7A
__dosmaperr.LIBCMT ref: 00238B81

Strings

.", xrefs: 00238A63

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: ."
API String ID: 2434981716-2093358890
Opcode ID: 60882213dc8e3557100df9f790f1c3c1bb14bfcd92b1d318ae5569eae76b6729
Instruction ID: 6105980cbbdca90ee9d892d501d3d830ca170c51535640645a02dac62aa0a29c
Opcode Fuzzy Hash: 60882213dc8e3557100df9f790f1c3c1bb14bfcd92b1d318ae5569eae76b6729
Instruction Fuzzy Hash: A14180F0624246AFD7249F24D884A79BFE6DB46304F3845AAF898CF552DE318C228750

Function 00262716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0026B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002621D0,?,?,00000034,00000800,?,00000034), ref: 0026B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00262760

Part of subcall function 0026B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0026B3F8

Part of subcall function 0026B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0026B355
Part of subcall function 0026B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00262194,00000034,?,?,00001004,00000000,00000000), ref: 0026B365
Part of subcall function 0026B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00262194,00000034,?,?,00001004,00000000,00000000), ref: 0026B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0026281A

Strings

@, xrefs: 00262832

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e4d89117710ae9d3b2ceb7f48b5368974e8fa4453271c1fb99557c8815d2747d
Instruction ID: 4e5417268a4c32265e8c203885e0d42b02e199a459102ab807b80ff58fa6678b
Opcode Fuzzy Hash: e4d89117710ae9d3b2ceb7f48b5368974e8fa4453271c1fb99557c8815d2747d
Instruction Fuzzy Hash: 08413D72910218AFDB11DFA4CD45EEEBBB8AF05300F104095FA55B7181DB706E99CF60

Function 0023172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00231769
_free.LIBCMT ref: 00231834
_free.LIBCMT ref: 0023183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00231760, 00231767, 00231796, 002317CE

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 130fbc85e0173df588915bfa0207ff78f58215efa637855b81b3f68039973411
Instruction ID: 139992b7c1676e07944b14adf23dc799cbcbcd58d69c54c13fc82b1f47fdf052
Opcode Fuzzy Hash: 130fbc85e0173df588915bfa0207ff78f58215efa637855b81b3f68039973411
Instruction Fuzzy Hash: 32316FB5E10219FBDB21DF99AC89D9EBBBCEB85310F144167F80497211D7708E60CB94

Function 0026C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0026C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0026C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002D1990,01425BA8), ref: 0026C395

Strings

0, xrefs: 0026C2DF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6f602573821ab67190c5e8c572f04eb5ae803f698048bd10b05f95532c5117da
Instruction ID: 807012d830dc4dfa3581eb216c67dbc61517a689edcbd6aea7832aaa01f7bd04
Opcode Fuzzy Hash: 6f602573821ab67190c5e8c572f04eb5ae803f698048bd10b05f95532c5117da
Instruction Fuzzy Hash: 4E41C731114302DFD720EF24D844B2ABBE4AF85310F20865EF9A5973D1D770E9A4CB62

Function 00294416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0029CC08,00000000,?,?,?,?), ref: 002944AA
GetWindowLongW.USER32 ref: 002944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002944D7

Strings

SysTreeView32, xrefs: 0029447C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7eae9673e61e2f36813e3e38c4177d4a7acfa3f38a5e11238d1ebd2850583d56
Instruction ID: d8a730d2b9d3721e8df1591b2a85668161b34110140319f5c99a73e4276d1279
Opcode Fuzzy Hash: 7eae9673e61e2f36813e3e38c4177d4a7acfa3f38a5e11238d1ebd2850583d56
Instruction Fuzzy Hash: 6131B031220206AFDF209E78DC45FEA77A9EB08334F214719F979921D0D770EC619B50

Function 00266E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00266EED
VariantCopyInd.OLEAUT32(?,?), ref: 00266F08
VariantClear.OLEAUT32(?), ref: 00266F12

Strings

*j&, xrefs: 00266E8B, 00266E90, 00266EF8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j&
API String ID: 2173805711-2273582324
Opcode ID: 8890774658fd96a69fc2f62a809897bda00584e071765a15fd61e449ed8a28c1
Instruction ID: 69c7a3dab869f6f8b4896d7c1397c9ccf936b401010b5849e9e1d047b5afc20a
Opcode Fuzzy Hash: 8890774658fd96a69fc2f62a809897bda00584e071765a15fd61e449ed8a28c1
Instruction Fuzzy Hash: 69318F71624345DBCB05AFA4E8999BD37B6EF85304F2004ADF9034B6A2CB749DA1DB90

Function 0028304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0028335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00283077,?,?), ref: 00283378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0028307A
_wcslen.LIBCMT ref: 0028309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00283106

Strings

255.255.255.255, xrefs: 00283095, 0028309A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 81b91fb9e6a5c68f36b6fff8bb4a5231565e5c7fa73d2aabbe78ad724e2aa9ea
Instruction ID: ec1866cbcd616507665ed6ab4ebc447d1a832b580c808d735a16e87cc28a8481
Opcode Fuzzy Hash: 81b91fb9e6a5c68f36b6fff8bb4a5231565e5c7fa73d2aabbe78ad724e2aa9ea
Instruction Fuzzy Hash: 4231073D611202DFCB10EF28C489EAA77E0EF14B14F248059E8168B7D2DB72EE55CB60

Function 00294653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00294705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00294713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0029471A

Strings

msctls_updown32, xrefs: 00294684

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3eb513a444b6e6812c423c2a1b6bec89f81367aded4f6a2564bd703f19b4e4e6
Instruction ID: df32a5a1768f35144a07c739f6a39f14dfc7a305ad395abbb88e5a0ded7046ec
Opcode Fuzzy Hash: 3eb513a444b6e6812c423c2a1b6bec89f81367aded4f6a2564bd703f19b4e4e6
Instruction Fuzzy Hash: 372162B5610209AFDB10DF64DCD5DB777ADEB5A394B140059FA0097251DB70EC22CA60

Function 002695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0026961D

Strings

#notrayicon, xrefs: 002695B7
#requireadmin, xrefs: 002695D9
#OnAutoItStartRegister, xrefs: 002695F3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 7262d49e837fbe1251587b9e630c19507958857ef6f2e270a46a6ebc931815a3
Instruction ID: b03eda3bd802084679ea2687ab2a8570c3e46ad985830a8155ff1aefca325b50
Opcode Fuzzy Hash: 7262d49e837fbe1251587b9e630c19507958857ef6f2e270a46a6ebc931815a3
Instruction Fuzzy Hash: 68212672234622A6C731AE28D802FB7739C9F65304F54402AFA4A97081EFB1ADF5C695

Function 002937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00293840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00293850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00293876

Strings

Listbox, xrefs: 0029380F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 556b1ea5109fe9d21465937d11eb0f4d3025feb2adc04d45969050de3a5f7829
Instruction ID: 68cf5ff37506a9727b5359b255c56014fcb915cdb4fc3999945cebaf0f8d26ac
Opcode Fuzzy Hash: 556b1ea5109fe9d21465937d11eb0f4d3025feb2adc04d45969050de3a5f7829
Instruction Fuzzy Hash: C9217F72620219BBEF21CE94DC45EAB776EEF89754F108125F9059B190C6719C618BA0

Function 002749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00274A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00274A5C
SetErrorMode.KERNEL32(00000000,?,?,0029CC08), ref: 00274AD0

Strings

%lu, xrefs: 00274A6F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a790d8e468227d42e7e1feb55aff2d11270c89d41129b03f8ba58e4952c804d7
Instruction ID: de03c87b5295ea0826f9331809643a962a02e51f8c22901a86c676fef676582d
Opcode Fuzzy Hash: a790d8e468227d42e7e1feb55aff2d11270c89d41129b03f8ba58e4952c804d7
Instruction Fuzzy Hash: BC316F75A10209AFDB10DF54C885EAA7BF8EF08308F1480A9F909DB252D771EE95CF61

Function 002941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0029424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00294264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00294271

Strings

msctls_trackbar32, xrefs: 00294226

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 76137a1acb38b689b8bce8bec6242c896cfc8cce013dba785e0f4a849b46939e
Instruction ID: e16bbc7fadadea7f8770e27f3a0c6a02674ef6c606ace171508a1819cee1cd05
Opcode Fuzzy Hash: 76137a1acb38b689b8bce8bec6242c896cfc8cce013dba785e0f4a849b46939e
Instruction Fuzzy Hash: 01110632650208BEEF206F29CC06FAB3BACFF85B54F110524FA55E2090D271DC729B20

Function 00262F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

Part of subcall function 00262DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00262DC5
Part of subcall function 00262DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00262DD6
Part of subcall function 00262DA7: GetCurrentThreadId.KERNEL32 ref: 00262DDD
Part of subcall function 00262DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00262DE4

GetFocus.USER32 ref: 00262F78

Part of subcall function 00262DEE: GetParent.USER32(00000000), ref: 00262DF9

GetClassNameW.USER32(?,?,00000100), ref: 00262FC3
EnumChildWindows.USER32(?,0026303B), ref: 00262FEB

Strings

%s%d, xrefs: 00262FFF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: afcd9a6c239dbe888d13278250b77d56e7e4f435edb87b624f91148de9cb4658
Instruction ID: e3fef57a7ea389a6bfac9d55761aeaf8d4f475ec69225a52faf9f7b617ba2ba8
Opcode Fuzzy Hash: afcd9a6c239dbe888d13278250b77d56e7e4f435edb87b624f91148de9cb4658
Instruction Fuzzy Hash: 3D11B4B5610205ABDF14BF70DC89FED376AAF94304F144075F909AB192DE709AA98F70

Function 00295882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002958EE
DrawMenuBar.USER32(?), ref: 002958FD

Strings

0, xrefs: 0029588F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 37463521e6e64bd87014cb4f65a2cc6ff14f16207e07b8212bb541e6ec1742e7
Instruction ID: d121789f671b7a7cf230b8876c64d1ef9036c7b675ddbe093d47e95f834979ff
Opcode Fuzzy Hash: 37463521e6e64bd87014cb4f65a2cc6ff14f16207e07b8212bb541e6ec1742e7
Instruction Fuzzy Hash: 1E018431620228EFEF519F11DC44BEEBBB4FF45760F108099E849D6151DB708AA4DF61

Function 0026007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81d379af5638bea3478ec5bc93c2cc74b021e0d464ab6fb8fba9af3df8da691
Instruction ID: 72c8df95641bb7c449b6eee2ea31c3768200c5eb320a28ae8ae560e068571563
Opcode Fuzzy Hash: d81d379af5638bea3478ec5bc93c2cc74b021e0d464ab6fb8fba9af3df8da691
Instruction Fuzzy Hash: E7C15C75A10206EFDB14CFA4C898BAEB7B5FF48304F208598E905EB251D771ED91DB90

Function 0028342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00283459
CoUninitialize.OLE32 ref: 00283463
VariantInit.OLEAUT32(?), ref: 0028346E
VariantClear.OLEAUT32(?), ref: 0028371B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: eae51115da4fe43187cf4723e5b5994d970552862f4bd62c622ce3bccb03152d
Instruction ID: c55f1fb121c589cdb73be1e5b351d1af92eb9b7a1bdd9dcb13ed9218738e2e17
Opcode Fuzzy Hash: eae51115da4fe43187cf4723e5b5994d970552862f4bd62c622ce3bccb03152d
Instruction Fuzzy Hash: 47A14C796243119FC700EF28C885A6ABBE5FF88714F148859F9499B3A2DB30EE51CF51

Function 00260436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0029FC08,?), ref: 002605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0029FC08,?), ref: 00260608
CLSIDFromProgID.OLE32(?,?,00000000,0029CC40,000000FF,?,00000000,00000800,00000000,?,0029FC08,?), ref: 0026062D
_memcmp.LIBVCRUNTIME ref: 0026064E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fa508c1fd3a5223118b04ca83d17c638e6e3f2d14322b759b4527ec49f3554c1
Instruction ID: 3923e265bd2364efd55e3aef47e3903edc3b2c2575200cb2003d71ba6ae970f8
Opcode Fuzzy Hash: fa508c1fd3a5223118b04ca83d17c638e6e3f2d14322b759b4527ec49f3554c1
Instruction Fuzzy Hash: 85814C71A10209EFCB04DF94C984EEEB7B9FF89315F204558E506AB250DB71AE56CF60

Function 0028A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0028A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0028A6BA

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Process32NextW.KERNEL32(00000000,?), ref: 0028A79C
CloseHandle.KERNEL32(00000000), ref: 0028A7AB

Part of subcall function 0021CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00243303,?), ref: 0021CE8A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f3307e54b70327014b44763e8d25b35d70043526a7d82ebc1486e7333e43997e
Instruction ID: 9022393ee34b4614caf69655f0d2f7768bacd0f4640a7e510015b302135c1440
Opcode Fuzzy Hash: f3307e54b70327014b44763e8d25b35d70043526a7d82ebc1486e7333e43997e
Instruction Fuzzy Hash: 41518E715183019FD710EF24C886A6BBBE8FF89714F00892EF58997292EB30D954CF92

Function 00241391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002414C0

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 90087550df856c184a8a1f36e58d7434cf2f695934671c97ffff9c2e611f6b08
Instruction ID: c3a6086dfe949f45cd2ab9903357572993b3fd8af9b408dc79ca0b8cbba0210f
Opcode Fuzzy Hash: 90087550df856c184a8a1f36e58d7434cf2f695934671c97ffff9c2e611f6b08
Instruction Fuzzy Hash: 90417F71A30111ABDB297FF8AC466BE3AB4EF42370F240266F819D6191E77448F15A71

Function 00296278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002962E2
ScreenToClient.USER32(?,?), ref: 00296315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00296382

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0d157ebada33a26220dcee714c1f3871e294c1966c71f07a6cf74decbee30850
Instruction ID: 3e8403220b1184dbc9686154a2feeb6956cdff38fe21c0da8dfd1bf5f01640d8
Opcode Fuzzy Hash: 0d157ebada33a26220dcee714c1f3871e294c1966c71f07a6cf74decbee30850
Instruction Fuzzy Hash: 48513C7491020AAFDF14DF64D8889AE7BF5EF45760F1081AAF81597290D730EDA1CB50

Function 00281AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00281AFD
WSAGetLastError.WSOCK32 ref: 00281B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00281B8A
WSAGetLastError.WSOCK32 ref: 00281B94

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 0b8f10a7036789a10b4554b259e8378a55002eb23488e2f24ca87e6fa4099fde
Instruction ID: 72560653ba590221a7f9f2c4a58f8f0957267435a79a2bf0f123d623736997bb
Opcode Fuzzy Hash: 0b8f10a7036789a10b4554b259e8378a55002eb23488e2f24ca87e6fa4099fde
Instruction Fuzzy Hash: C241F4786103016FE720AF24C88AF6577E5AB44718F548448F91A9F3D3D772EDA2CB90

Function 0023B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc21713dd33936da7403b8987acfd15c91df97bf375b9b15351a64fa7f41bb1d
Instruction ID: cc6a6699caccb3d534cb872ebb201a7bd4caf1b9f28ee5c52d1e42c76186daeb
Opcode Fuzzy Hash: fc21713dd33936da7403b8987acfd15c91df97bf375b9b15351a64fa7f41bb1d
Instruction Fuzzy Hash: 6D412BB6A20314BFD7259F78CC51B6ABBF9EB88710F10452EF641DB281D77199618B80

Function 002756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00275783
GetLastError.KERNEL32(?,00000000), ref: 002757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002757FA

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ec44cbe0b4d1f4fe084fa30b300f807f54527c1e6d8b3c60a33480133676c4d4
Instruction ID: b4f1062eebcabc105ee8efa0bbba4303f61c43baacb2ccf782640a005f0f2381
Opcode Fuzzy Hash: ec44cbe0b4d1f4fe084fa30b300f807f54527c1e6d8b3c60a33480133676c4d4
Instruction Fuzzy Hash: 3B410839610611DFCB11EF15C544A5ABBE2AF89320B59C489EC4AAB3A2CB74FD50CF91

Function 0023D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00226D71,00000000,00000000,002282D9,?,002282D9,?,00000001,00226D71,?,00000001,002282D9,002282D9), ref: 0023D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0023D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0023D9AB
__freea.LIBCMT ref: 0023D9B4

Part of subcall function 00233820: RtlAllocateHeap.NTDLL(00000000,?,002D1444,?,0021FDF5,?,?,0020A976,00000010,002D1440,002013FC,?,002013C6,?,00201129), ref: 00233852

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: afdfb857c98e580dfc8d806953e5cf6bf57031d37f2725d3c56596c211fb91ea
Instruction ID: 700b49650160d7f36e94fca4f1aae9bdedc3ad7366a03dc8db94583fce4bb94e
Opcode Fuzzy Hash: afdfb857c98e580dfc8d806953e5cf6bf57031d37f2725d3c56596c211fb91ea
Instruction Fuzzy Hash: C331F0B2A2021AABDF25DF64EC45EAE7BA5EF40310F150169FC04D7250EB35CD60CBA0

Function 002952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00295352
GetWindowLongW.USER32(?,000000F0), ref: 00295375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00295382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002953A8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 251ce5690f4cf9b520dd7a16d3041c6695884ec59188434b257aed9c742253a2
Instruction ID: 60fdfb1a6ad7b9744293e714709d29831a7f96951afae6648457480174727e32
Opcode Fuzzy Hash: 251ce5690f4cf9b520dd7a16d3041c6695884ec59188434b257aed9c742253a2
Instruction Fuzzy Hash: F7310330B75A29FFEF369E14DC19BE83765AB04390F584182FA00961E1C3F09DA09B49

Function 0026AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0026ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0026AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0026AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0026ACC6

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3162e7f6ac18ce9e21bbe4a159d02d85eaed293b50cd532c3887e3e2abb148e4
Instruction ID: d81e6516278931a9401f2f23c99e29867e77a7d1a6cecfc7f12e2e624ca59ee9
Opcode Fuzzy Hash: 3162e7f6ac18ce9e21bbe4a159d02d85eaed293b50cd532c3887e3e2abb148e4
Instruction Fuzzy Hash: 9D310730A20719AFEF35CF658C087FA7BA9AB89310F14431BE485A21D1C375D9E59F52

Function 00297674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0029769A
GetWindowRect.USER32(?,?), ref: 00297710
PtInRect.USER32(?,?,00298B89), ref: 00297720
MessageBeep.USER32(00000000), ref: 0029778C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5baaa6c7946f3bbf17c61d7836d0ddc1b125616970ee90f384c9cbdc71aa54a3
Instruction ID: 670be0a97f89866cb8dd420f51c005c51e06e16bf7169fba410493433beafe8d
Opcode Fuzzy Hash: 5baaa6c7946f3bbf17c61d7836d0ddc1b125616970ee90f384c9cbdc71aa54a3
Instruction Fuzzy Hash: FB416B34A29215EFCF11CF98D898EE9B7F5FF89314F1581A9E8149B261C730A961CF90

Function 002916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002916EB

Part of subcall function 00263A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263A57
Part of subcall function 00263A3D: GetCurrentThreadId.KERNEL32 ref: 00263A5E
Part of subcall function 00263A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002625B3), ref: 00263A65

GetCaretPos.USER32(?), ref: 002916FF
ClientToScreen.USER32(00000000,?), ref: 0029174C
GetForegroundWindow.USER32 ref: 00291752

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6449271fdafb2952a2343a4a1ba515b993f508c374bff1baf40917f9189fb1c3
Instruction ID: f3e589e9e444a71ac47138b2ed21f1dfd2fd8e1134eb8f88266e358b217c25ce
Opcode Fuzzy Hash: 6449271fdafb2952a2343a4a1ba515b993f508c374bff1baf40917f9189fb1c3
Instruction Fuzzy Hash: 89313075D10249AFDB00EFA5C8858AEB7F9EF48304B5080AAE415E7252D7319E55CFA1

Function 00298FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

GetCursorPos.USER32(?), ref: 00299001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00257711,?,?,?,?,?), ref: 00299016
GetCursorPos.USER32(?), ref: 0029905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00257711,?,?,?), ref: 00299094

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3d30a497764b7d63b4b60054b32f2f20eddda569eb2920148d83aeb74976fb1b
Instruction ID: 84a19348448f67ccd887facc0c3262115a8a74c56a8de84949d036b3cbd0ab7c
Opcode Fuzzy Hash: 3d30a497764b7d63b4b60054b32f2f20eddda569eb2920148d83aeb74976fb1b
Instruction Fuzzy Hash: 29219F35610018FFDF258F99D858EEA7BB9EB8A360F14406AF91597261C3329DB0DB60

Function 0026D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0029CB68), ref: 0026D2FB
GetLastError.KERNEL32 ref: 0026D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0026D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0029CB68), ref: 0026D376

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8f4702669a4bd2eda673d190c366036aafd08830f580f9b6c7c15dc4eefb8847
Instruction ID: 335990a6eb62b95ffb642a64d4c2b4c850f2ee6026130e50276090c98c509ead
Opcode Fuzzy Hash: 8f4702669a4bd2eda673d190c366036aafd08830f580f9b6c7c15dc4eefb8847
Instruction Fuzzy Hash: F5219170A243069FC710EF24D88586A77E4AE56324F604A5DF899C73E2E730D9A5CF93

Function 00261571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00261014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0026102A
Part of subcall function 00261014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00261036
Part of subcall function 00261014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261045
Part of subcall function 00261014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0026104C
Part of subcall function 00261014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002615BE
_memcmp.LIBVCRUNTIME ref: 002615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00261617
HeapFree.KERNEL32(00000000), ref: 0026161E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3d9afc82212816e4e7926c37617590c08977a4ff99e3c69154998d3486d97516
Instruction ID: ae8ed5c1efb0c1b06a70d69609c040e5803fe0260561681d1b45b78d13bb76de
Opcode Fuzzy Hash: 3d9afc82212816e4e7926c37617590c08977a4ff99e3c69154998d3486d97516
Instruction Fuzzy Hash: B421AC71E10109EFDF10DFA8D949BEEB7B8EF44354F184459E445AB241E730BAA5CBA0

Function 00292782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0029280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00292824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00292832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00292840

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7e43cc7d0294e4f9c2b3a8ac65e4e2396182cf19cf59811d0966a28b33083f10
Instruction ID: 6cb64dbabd66d5a2d6410cc3fb8ade679bb3936e4c18141b5985dbf9b068af76
Opcode Fuzzy Hash: 7e43cc7d0294e4f9c2b3a8ac65e4e2396182cf19cf59811d0966a28b33083f10
Instruction Fuzzy Hash: FA21B231214111FFDB14DB24CC44FAABB95AF45324F248159F41A9B6E2CB71EC56CBA0

Function 002678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00268D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?), ref: 00268D8C
Part of subcall function 00268D7D: lstrcpyW.KERNEL32(00000000,?,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00268DB2
Part of subcall function 00268D7D: lstrcmpiW.KERNEL32(00000000,?,0026790A,?,000000FF,?,00268754,00000000,?,0000001C,?,?), ref: 00268DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267923
lstrcpyW.KERNEL32(00000000,?,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00268754,00000000,?,0000001C,?,?,00000000), ref: 00267984

Strings

cdecl, xrefs: 0026797B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 610b3cc7bcbd9fdd3f892f3432c3b6f75df21befe2f50e8ee3f60ff311d6b44b
Instruction ID: 8a67b4529732ebffd2416bfde3058276cbbbff0b97a49b5f4702aa0fc4adc2e8
Opcode Fuzzy Hash: 610b3cc7bcbd9fdd3f892f3432c3b6f75df21befe2f50e8ee3f60ff311d6b44b
Instruction Fuzzy Hash: 8911293A211342ABCB155F38E844D7A77E5FF45354B50402AF806C7264EB319861CB61

Function 00297CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00297D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00297D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00297D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0027B7AD,00000000), ref: 00297D6B

Part of subcall function 00219BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00219BB2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: cc5d449836d9708facc2701079562713a2902e41019ff93b5581315f41f93a24
Instruction ID: ac2fab5cac944da46993bcfb6cbdd72b6f4e2bf9759a333faeb1d6b00f21cfd6
Opcode Fuzzy Hash: cc5d449836d9708facc2701079562713a2902e41019ff93b5581315f41f93a24
Instruction Fuzzy Hash: 9F119D71635616AFCF109F68EC08AA63BA5AF45360F254725F839D72F0D7309D61CB60

Function 00295660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002956BB
_wcslen.LIBCMT ref: 002956CD
_wcslen.LIBCMT ref: 002956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00295816

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 883b6e851777408bd34d48e53494793e2c50b3cb656834e709961c5198ef671c
Instruction ID: 3f3f0a00c975b1078c7e8079e85041586129136c4cbe826201b60dbcb286c625
Opcode Fuzzy Hash: 883b6e851777408bd34d48e53494793e2c50b3cb656834e709961c5198ef671c
Instruction Fuzzy Hash: 4511D671730625A6EF21DFA1DC85AEE776CFF11760B104026F915D6081E7B0C9A4CFA0

Function 00231D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cb0fa8e0f7ea99fd961683ab4890996af1029e09ae4c6775c9b453f9590dbe
Instruction ID: 2a4055fd5b87592192be581b24069981322e7553f5491cb276d3050d00b81276
Opcode Fuzzy Hash: a6cb0fa8e0f7ea99fd961683ab4890996af1029e09ae4c6775c9b453f9590dbe
Instruction Fuzzy Hash: 86018BF222961A7EF6212A787CC0F27661DDF427B8F301326F525A11D2DB608C308570

Function 00261A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00261A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00261A8A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f16af87e38430e7a24bcdafb92e00a07b7a9a0d79863b2b4b64f2e9453dddeb5
Instruction ID: 90cb43e5ebf77f4b300804fa42cb07d475ce895a656b9d73d9aac991d46669f3
Opcode Fuzzy Hash: f16af87e38430e7a24bcdafb92e00a07b7a9a0d79863b2b4b64f2e9453dddeb5
Instruction Fuzzy Hash: 7F11393AD11219FFEB10DBE4CD85FADBB78EB08750F240492EA04B7294D6716E60DB94

Function 0026E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0026E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0026E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0026E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0026E24D

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 863dbd54000fcf0326ee54d75b14dcf20fb618b87d99d1624f8953871ef6a905
Instruction ID: 5e4856828bce2e1342cbb18a2f1b46470847c0b0bce7788e99e48a06e81c91e9
Opcode Fuzzy Hash: 863dbd54000fcf0326ee54d75b14dcf20fb618b87d99d1624f8953871ef6a905
Instruction Fuzzy Hash: 95112676D14214BFCB019FA8FC0DA9E7FADAB45320F104256FC24E3291D2B0CE6487A0

Function 0022D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0022CFF9,00000000,00000004,00000000), ref: 0022D218
GetLastError.KERNEL32 ref: 0022D224
__dosmaperr.LIBCMT ref: 0022D22B
ResumeThread.KERNEL32(00000000), ref: 0022D249

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 49783618925fb4139c77a5daeebd67c5b2d465e2bec5bb12463eb3ff6a5bdb50
Instruction ID: d9d51a5021733fc2fbf765706d5ba1a02f0b85bc64d55c370244c6ccda8a1c20
Opcode Fuzzy Hash: 49783618925fb4139c77a5daeebd67c5b2d465e2bec5bb12463eb3ff6a5bdb50
Instruction Fuzzy Hash: E701D636425225FBDB115FE5FC09BAE7A69DF82730F20031AFD25961D1CF708921CAA0

Function 0020600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
GetStockObject.GDI32(00000011), ref: 00206060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 148d526d709cc5fbecdd21e5b1d4a89a246821ec17193a8e07548f162a96f92b
Instruction ID: 30d3e0f71ce86595605452efdbf4b26e18a56a03901ca5214f0cff9988eb7544
Opcode Fuzzy Hash: 148d526d709cc5fbecdd21e5b1d4a89a246821ec17193a8e07548f162a96f92b
Instruction Fuzzy Hash: 0611AD72511609BFEF124FA4DC48EEABB6EFF083A4F100202FA0452051C7329C70EBA0

Function 00223B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00223B56

Part of subcall function 00223AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00223AD2
Part of subcall function 00223AA3: ___AdjustPointer.LIBCMT ref: 00223AED

_UnwindNestedFrames.LIBCMT ref: 00223B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00223B7C
CallCatchBlock.LIBVCRUNTIME ref: 00223BA4

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 46fe9b38b0c4939ac8a7a2a37263148d2239d538864c9e23525e47d98dee691e
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: E4012932110159BBDF12AE95EC42EEB3F6AEF48758F044014FE4856121C736E971DFA0

Function 00233073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002013C6,00000000,00000000,?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue), ref: 002330A5
GetLastError.KERNEL32(?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue,002A2290,FlsSetValue,00000000,00000364,?,00232E46), ref: 002330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0023301A,002013C6,00000000,00000000,00000000,?,0023328B,00000006,FlsSetValue,002A2290,FlsSetValue,00000000), ref: 002330BF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 162c9f1278fb7abe7330416b79e31654305bfb553021af416721879b3bf96cbf
Instruction ID: 16934cca70a464f22534972fc75a1ad295e5982b5bf9527a01dfa89ecbb7f538
Opcode Fuzzy Hash: 162c9f1278fb7abe7330416b79e31654305bfb553021af416721879b3bf96cbf
Instruction Fuzzy Hash: EC01D472731623ABCB258F78AC88A577B98AF45B61F200622F905E7150CB21DB11C6E0

Function 00267464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0026747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00267497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002674CA

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: dc22a84fe1c44aff106019e1c6eff13a5af1c9440c0bc6dd50b63540b7ff1669
Instruction ID: 5398a862a883c5a55708b1cb9f50cea53f1f3ca1da124c7ee5772df4f5704d37
Opcode Fuzzy Hash: dc22a84fe1c44aff106019e1c6eff13a5af1c9440c0bc6dd50b63540b7ff1669
Instruction Fuzzy Hash: EC11A1B52153119BF7208F14FD0CB927BFCEB40B08F20856AA616D6191DBB0E954DBA0

Function 0026B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026ACD3,?,00008000), ref: 0026B126

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 22deba0ce9623bc23dc144706344e23849ce02e2474089ad738820bb547e5f46
Instruction ID: 20af093f64cc802c5afb58dbc02c1014d284824529d63eed84d737a0084d95ad
Opcode Fuzzy Hash: 22deba0ce9623bc23dc144706344e23849ce02e2474089ad738820bb547e5f46
Instruction Fuzzy Hash: AD116D31C2152DEBCF01AFE4E998AEEBF78FF0A711F11409AD945B2185CB7096E08B55

Function 00297E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00297E33
ScreenToClient.USER32(?,?), ref: 00297E4B
ScreenToClient.USER32(?,?), ref: 00297E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00297E8A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f8fb8e8ab72d2f9cf2e7c621529a4752b553195e8020e5a3fd29781c931f3dd0
Instruction ID: b966079e13f003bada9d0a963db22272e40959abc38b64d5adcd8ad883e26ea9
Opcode Fuzzy Hash: f8fb8e8ab72d2f9cf2e7c621529a4752b553195e8020e5a3fd29781c931f3dd0
Instruction Fuzzy Hash: F01144B9D0024AAFDB41DF98D8849EEBBF9FF08310F505056E915E3210D735AA54CF50

Function 00262DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00262DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00262DD6
GetCurrentThreadId.KERNEL32 ref: 00262DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00262DE4

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4985387bf05b283c8c457025993f5689e099a4dd489f5eadb157cbb633142ae0
Instruction ID: 4c89f40fe3564f653626f59ff8a22a3f2bf43c95e54f6b63b397fb95c2dcce0c
Opcode Fuzzy Hash: 4985387bf05b283c8c457025993f5689e099a4dd489f5eadb157cbb633142ae0
Instruction Fuzzy Hash: 4DE09271111624BBDB201F72AC0DFEB3E6CEF83BA1F500416F105D10909AA1C884C6B0

Function 00298863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00219639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00219693
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196A2
Part of subcall function 00219639: BeginPath.GDI32(?), ref: 002196B9
Part of subcall function 00219639: SelectObject.GDI32(?,00000000), ref: 002196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00298887
LineTo.GDI32(?,?,?), ref: 00298894
EndPath.GDI32(?), ref: 002988A4
StrokePath.GDI32(?), ref: 002988B2

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8edec65f1e5ee9a17f442802b7487f4af4f177dbf643cd6d3708584ea01d50ca
Instruction ID: 661d4b4d2452cd7e4d3d4ca42b2b7bfbd84bc0c0791e439d78c8198db453887f
Opcode Fuzzy Hash: 8edec65f1e5ee9a17f442802b7487f4af4f177dbf643cd6d3708584ea01d50ca
Instruction Fuzzy Hash: 81F03A36052299BADB126F94BC0DFCA3B59AF06310F148002FA15650E1C7755561CFB9

Function 002198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002198CC
SetTextColor.GDI32(?,?), ref: 002198D6
SetBkMode.GDI32(?,00000001), ref: 002198E9
GetStockObject.GDI32(00000005), ref: 002198F1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3b49e3845170ce6e7b23427f98ac8c08cf39660e72660f3eb0f4b3675c8442f6
Instruction ID: a035443598a55f24440e2c58b1f480a3543a2518abde18cc965d3fad3240afd2
Opcode Fuzzy Hash: 3b49e3845170ce6e7b23427f98ac8c08cf39660e72660f3eb0f4b3675c8442f6
Instruction Fuzzy Hash: D6E06D31284280ABDB215F74BC0DBE83F60AB12336F24821AFAFA581E1C77146949B10

Function 0026162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00261634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002611D9), ref: 0026163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002611D9), ref: 00261648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002611D9), ref: 0026164F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 60e0fc4c8b31362915e1dcf99dced8c8094fbae1d3afa88dcc5c05ef7e170a8a
Instruction ID: 7c8d9100274f8252f2755d25a9a06aa8e0c286356fb598774224056e5dd922ec
Opcode Fuzzy Hash: 60e0fc4c8b31362915e1dcf99dced8c8094fbae1d3afa88dcc5c05ef7e170a8a
Instruction Fuzzy Hash: 4AE08635601211EBD7201FA0BE0DB463B7CAF44791F288809F745C9080D6345490C764

Function 0025D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0025D858
GetDC.USER32(00000000), ref: 0025D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025D882
ReleaseDC.USER32(?), ref: 0025D8A3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4a0801a3c01ff6dd125ddca342f809c607af3c5562c9a06bcedb7942c635b3e4
Instruction ID: 3eb72b2cfe83e84c9341403d72a6538f11d78c4cbd28fac1e1a358ee227335a4
Opcode Fuzzy Hash: 4a0801a3c01ff6dd125ddca342f809c607af3c5562c9a06bcedb7942c635b3e4
Instruction Fuzzy Hash: ACE01AB1810205DFCF419FA0E80C66DBBB5FB48311F24800AE816E7250CB799951AF50

Function 0025D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0025D86C
GetDC.USER32(00000000), ref: 0025D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025D882
ReleaseDC.USER32(?), ref: 0025D8A3

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d52ef87df9a4e12ee1c1e7180d1e6e7495f11d691a2f77f579eb214635d6218c
Instruction ID: 62c750168ca4a692ae55fb4ea27041abc9125a37ca6c1d7415e9399c2b1b115e
Opcode Fuzzy Hash: d52ef87df9a4e12ee1c1e7180d1e6e7495f11d691a2f77f579eb214635d6218c
Instruction Fuzzy Hash: 7FE092B5810205EFCF51AFA0E80C66DBBB9BB48311F24844AE95AE7260CB799951AF50

Function 00274D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00207620: _wcslen.LIBCMT ref: 00207625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00274ED4

Strings

LPT, xrefs: 00274DFB
*, xrefs: 00274E10

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: a26f08310fc5e7cd644500b02f23f17c9513451ae87803ca48e1452b0dac67cf
Instruction ID: 724635b69fd97e77ec21f55a6a85a516c309761552f438f3df8ea5e9e3bd696a
Opcode Fuzzy Hash: a26f08310fc5e7cd644500b02f23f17c9513451ae87803ca48e1452b0dac67cf
Instruction Fuzzy Hash: CB916E75A102159FCB14EF58C484EAABBF1AF49304F18C099E80A9F7A2C771ED95CF91

Function 0022E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0022E30D

Strings

pow, xrefs: 0022E2E5, 0022E302

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 0af323eb8cc27f98809a978670a0512bc21e2df58a82a789e0e4ab70d624e328
Instruction ID: a5b3c2f230a646e66ede4c2a1f4f778f28c28f8f5343e967aa9da93d984c5e3c
Opcode Fuzzy Hash: 0af323eb8cc27f98809a978670a0512bc21e2df58a82a789e0e4ab70d624e328
Instruction Fuzzy Hash: A9518DE1A3C207F6CF31BF58E9013793B94AF40741F304999E496822E9DF348CB5AA42

Function 00287771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0025569E,00000000,?,0029CC08,?,00000000,00000000), ref: 002878DD

Part of subcall function 00206B57: _wcslen.LIBCMT ref: 00206B6A

CharUpperBuffW.USER32(0025569E,00000000,?,0029CC08,00000000,?,00000000,00000000), ref: 0028783B

Strings

<s,, xrefs: 002877C8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s,
API String ID: 3544283678-3841622832
Opcode ID: 0c5f1d65dfa6f6691ca5eb0cecc11259c37bf7caf36e46c28876c9302813dba8
Instruction ID: 24d26f1cb357e6f69e06a80d77f8e83590183b988bd545dd6323c2f4dc5b4166
Opcode Fuzzy Hash: 0c5f1d65dfa6f6691ca5eb0cecc11259c37bf7caf36e46c28876c9302813dba8
Instruction Fuzzy Hash: 8F614B76934219AACF04FBA4CC95DFDB378BF14700B644129E542A30D2EF70AA65DFA0

Function 0021E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0021E1B1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 765ddb4976cd9ae4664a305e1e9b03bdb49704b203ca3e6746a9872e19c4d554
Instruction ID: 42205d2b47f07103e14acf55cff0a721cd9661cb134749edeb991bf232038725
Opcode Fuzzy Hash: 765ddb4976cd9ae4664a305e1e9b03bdb49704b203ca3e6746a9872e19c4d554
Instruction Fuzzy Hash: 40513331920356DFDF18DF28C891AFABBE8EF29310F254015EC519B2D0D6309EA6CB90

Function 0021F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0021F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0021F2BB

Strings

@, xrefs: 0021F2AF

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 883f58f00dd364e93c0ed71f2f05aebe60dda93bf697be8f10bd8ceaac4bb004
Instruction ID: 2b7846664409691e0c5bd1f3538b7a3d93005d473ea33ed31d1f80f758a41682
Opcode Fuzzy Hash: 883f58f00dd364e93c0ed71f2f05aebe60dda93bf697be8f10bd8ceaac4bb004
Instruction Fuzzy Hash: A55149714187459BD320AF10EC8ABABB7F8FB84300F91495DF1D9411A6EB709539CB67

Function 00285745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002857E0
_wcslen.LIBCMT ref: 002857EC

Strings

CALLARGARRAY, xrefs: 002857E6, 002857EB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 96de391b95f3010511a48aa45e600a645b29ddaa6d7f03953f8073641c694b26
Instruction ID: 8e85b84912109a0ce8b8529239e29c655664d994320c98e6f77a6d229093fd2b
Opcode Fuzzy Hash: 96de391b95f3010511a48aa45e600a645b29ddaa6d7f03953f8073641c694b26
Instruction Fuzzy Hash: A341A035E212199FCB14EFA8C8859AEBBF5EF59310F10402AE505A7292E7709DE1CF90

Function 0027D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0027D13A

Strings

|, xrefs: 0027D10B

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: fc954eb88edb8a3b8b326e9162de1bfe6ab1e4d845d4aa19fc99596c94b276b1
Instruction ID: 6760c3c8a10f1fef9dee3c8d4d938249f1ea60dbc46f531be8d1c31b86f97be8
Opcode Fuzzy Hash: fc954eb88edb8a3b8b326e9162de1bfe6ab1e4d845d4aa19fc99596c94b276b1
Instruction Fuzzy Hash: 37313971D11219ABCF15EFA4CC85EEEBFB9FF05300F404019E819A61A2D731AA66CF60

Function 0029356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00293621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0029365C

Strings

static, xrefs: 002935BC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7e2cea6cfd92e07af8761a6ea29cc9bf227cc8c96f9d413658e4d14954ad5478
Instruction ID: 27223ea3f96b0adaf7f2f0178b9d270527b33be08544a8206c841c36c90e24d5
Opcode Fuzzy Hash: 7e2cea6cfd92e07af8761a6ea29cc9bf227cc8c96f9d413658e4d14954ad5478
Instruction Fuzzy Hash: BF318F71120205AADB10DF68DC80EFB73ADFF89724F108619F8A5D7290DA31ADA1DB64

Function 00294537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0029461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00294634

Strings

', xrefs: 0029458E

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fad80cb33dc140cea3d0b8774811e9ec12f774b26dcb5ade5bc353aef2ff6caf
Instruction ID: 060125bf79822bc748d2f31ac7ea3b11e1aa5131439228378c3d1a7697c62d27
Opcode Fuzzy Hash: fad80cb33dc140cea3d0b8774811e9ec12f774b26dcb5ade5bc353aef2ff6caf
Instruction Fuzzy Hash: 673137B4A1120A9FDF14DFA9C990BDA7BB9FF19300F51416AE904AB341D770A952CF90

Function 002931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0029327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00293287

Strings

Combobox, xrefs: 00293249

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: acb20c0feb1355ab9d97eb3adbccbfbb9d20a4e1f5fadc9fdbd4518e39c1850f
Instruction ID: 9034d278bd93eb1f598704f7303a9b3df57575cce82e3d118df20f0400998914
Opcode Fuzzy Hash: acb20c0feb1355ab9d97eb3adbccbfbb9d20a4e1f5fadc9fdbd4518e39c1850f
Instruction Fuzzy Hash: C211D071B202097FFF25DF94DC84EBB376AEB94364F100129F91897290D6319D618B60

Function 00293710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0020600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020604C
Part of subcall function 0020600E: GetStockObject.GDI32(00000011), ref: 00206060
Part of subcall function 0020600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0020606A

GetWindowRect.USER32(00000000,?), ref: 0029377A
GetSysColor.USER32(00000012), ref: 00293794

Strings

static, xrefs: 00293757

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2d507f0a842ee9ecbb648ff3fbe24e2403a143f00a7ffe3c795003c13f2422b6
Instruction ID: 1df6d20489f5f5790e12f85ecf10ade8f9cdeb8f753b020459ffe34109de7573
Opcode Fuzzy Hash: 2d507f0a842ee9ecbb648ff3fbe24e2403a143f00a7ffe3c795003c13f2422b6
Instruction Fuzzy Hash: 98113AB262020AAFDF00DFA8CC49EEA7BB8FB09314F104915F955E2250D775E8619B50

Function 0027CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0027CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0027CDA6

Strings

<local>, xrefs: 0027CD66

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c456674a53553facbfa050e77e1911028e9deca8e7e27ec82966527b660be12c
Instruction ID: a92a30c81f3fdac0f3a425f6ee19097c1b30ba9745ed2c856674f32a498cceeb
Opcode Fuzzy Hash: c456674a53553facbfa050e77e1911028e9deca8e7e27ec82966527b660be12c
Instruction Fuzzy Hash: 9911A771125632BAD7384A769C49FE7BE5CEB167A4F20823EB10D82180D6749850D6F0

Function 00293429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002934BA

Strings

edit, xrefs: 0029348F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3d01560a73055ebe994f0813b28dee28f481eec32e731134ee87673545bf3b7a
Instruction ID: 9469c986c37651be9db2b54a88f66b86219e535fe50a07f041cd588657aced63
Opcode Fuzzy Hash: 3d01560a73055ebe994f0813b28dee28f481eec32e731134ee87673545bf3b7a
Instruction Fuzzy Hash: 30118C71120209ABEF128F64EC48ABB37AAEF05378F615724F965931E0C771EC619B60

Function 00266C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

CharUpperBuffW.USER32(?,?,?), ref: 00266CB6
_wcslen.LIBCMT ref: 00266CC2

Strings

STOP, xrefs: 00266CBC, 00266CC1

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d00f7e54a5b5875ae2c57c7ca5882d811b30dfa567d84c5319bc9b3d2c7a51cb
Instruction ID: 6d4f61e257e52c88b701ef96aba7109a003ccaf5fb4784f43b46a1ba0f5385f0
Opcode Fuzzy Hash: d00f7e54a5b5875ae2c57c7ca5882d811b30dfa567d84c5319bc9b3d2c7a51cb
Instruction Fuzzy Hash: 590108326309278ACB109FFDDC489BF73B4EE61710F100529E452921D1EA31D8A0C650

Function 00261CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 00263CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00263CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00261D4C

Strings

ListBox, xrefs: 00261D16
ComboBox, xrefs: 00261CEB

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cdedcfd0b1914f87f514cf4620223fcc0f4a47c0eef0227a07a817aec366aceb
Instruction ID: 4ecbd5f40fbd76253661754a187906b456262724a199088973c096c44b2a43a0
Opcode Fuzzy Hash: cdedcfd0b1914f87f514cf4620223fcc0f4a47c0eef0227a07a817aec366aceb
Instruction Fuzzy Hash: A701D871621215ABCB08EFA4CC55DFE7768FF56350F14061AF822573C2EA3069B88BA0

Function 00261BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 00263CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00263CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00261C46

Strings

ListBox, xrefs: 00261C10
ComboBox, xrefs: 00261BE5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c06b287d358ce262ea6ffff28294be73b691de96469b027e6ebb84f678828ecd
Instruction ID: caa5814eaf462ad81bb360c61ee264239e29298dd6750c3f0899ece3ed418784
Opcode Fuzzy Hash: c06b287d358ce262ea6ffff28294be73b691de96469b027e6ebb84f678828ecd
Instruction Fuzzy Hash: 3001FC71A6020466CB04EB90C951EFF77A89F15340F14001BF406632C3EA20AEB88AB2

Function 00261C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 00263CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00263CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00261CC8

Strings

ListBox, xrefs: 00261C94
ComboBox, xrefs: 00261C69

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b2d75a410863cceb23e58e89ad0ce5ff577d225a5682bc257eaf70ee3eb1126a
Instruction ID: d469e5f56ac39599953c0266e753518791dba3eceb2557c00e213d739518a74a
Opcode Fuzzy Hash: b2d75a410863cceb23e58e89ad0ce5ff577d225a5682bc257eaf70ee3eb1126a
Instruction Fuzzy Hash: C001DBB1A6021567DB04EB90CA01EFF77AC9B11340F140017B802732C3EA60AFB8DA72

Function 0021A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021A529

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Strings

,%-, xrefs: 0021A509
3y%, xrefs: 0021A545, 0021A54D, 0021A552

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%-$3y%
API String ID: 2551934079-1204127486
Opcode ID: d0c6f6df1116137e5746284799ddc45811b4ba0f588887c861338cd18a4103dc
Instruction ID: 1c88e8281cc475c0e2aa66238f99820bdd904744b2e16613594962050b017652
Opcode Fuzzy Hash: d0c6f6df1116137e5746284799ddc45811b4ba0f588887c861338cd18a4103dc
Instruction Fuzzy Hash: 59014731F32210A7CA04F768B84BA9D33A58B15720F904015F502172C3DE605DA58E97

Function 00261D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00209CB3: _wcslen.LIBCMT ref: 00209CBD

Part of subcall function 00263CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00263CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00261DD3

Strings

ListBox, xrefs: 00261DA0
ComboBox, xrefs: 00261D75

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61471d983852f6fc0a2fab0b224dda0c09065b252244fa6c90bc808e94d8fea2
Instruction ID: 0369ccc0e1fa18c4d4a2217412ef67c76ab94565bc9c9538d44c5caf9911c299
Opcode Fuzzy Hash: 61471d983852f6fc0a2fab0b224dda0c09065b252244fa6c90bc808e94d8fea2
Instruction Fuzzy Hash: 06F0A971E7131566D704E7A4CC51FFF777CAB06350F04091AF422632C7DA6069B88660

Function 00298172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002D3018,002D305C), ref: 002981BF
CloseHandle.KERNEL32 ref: 002981D1

Strings

\0-, xrefs: 0029818A

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0-
API String ID: 3712363035-8283200
Opcode ID: 01389fe57e023752b04404ebc534b0c81de3b48231507831ea479b4138ea72eb
Instruction ID: c4549b104426277149361aa72bd687e89d8575d342fbd9a18f14c22755937189
Opcode Fuzzy Hash: 01389fe57e023752b04404ebc534b0c81de3b48231507831ea479b4138ea72eb
Instruction Fuzzy Hash: 48F05EB2A51310BBE320AB61FC49FB73B5CDB05752F000462BB08D51A2D6768E2487BA

Function 0028747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00287493
_wcslen.LIBCMT ref: 002874B9

Strings

3, 3, 16, 1, xrefs: 00287483

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d1e8342c7b8b29e48082fba445ff70de1eacaacc9ff37c778ec82cb5f0d5f16b
Instruction ID: d0f4a570578ec79737ae4fa9d8e7918790fa8f06a220c15e5b3f1a882f80ce2e
Opcode Fuzzy Hash: d1e8342c7b8b29e48082fba445ff70de1eacaacc9ff37c778ec82cb5f0d5f16b
Instruction Fuzzy Hash: 90E02B0A23627120923136B9ACC1A7F5699DFC5750734182BF985C22A6EAD4CDF193A0

Function 00260B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00260B23

Strings

AutoIt, xrefs: 00260B17
Error allocating memory., xrefs: 00260B1C

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0bc5c1ed651f6c9559eb753ba9801c017b849c4f7f80d269faece74db64677e6
Instruction ID: 4967745fe8ad30d3c8b867ca185072c354d51c192cde139cb312976a2070a257
Opcode Fuzzy Hash: 0bc5c1ed651f6c9559eb753ba9801c017b849c4f7f80d269faece74db64677e6
Instruction Fuzzy Hash: 73E0D83126431836D6143B947C07FD97AC48F05B20F20042BF758594C38AE164F00AE9

Function 00220D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0021F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00220D71,?,?,?,0020100A), ref: 0021F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0020100A), ref: 00220D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0020100A), ref: 00220D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00220D7F

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 431ef983b9237b80ed5075ebf593f08192979babac6e2e18ae5d20d942eb5a56
Instruction ID: 5035213a992191e0deb8f9d802a725d3ff47a4364a7d247755243894615987b2
Opcode Fuzzy Hash: 431ef983b9237b80ed5075ebf593f08192979babac6e2e18ae5d20d942eb5a56
Instruction Fuzzy Hash: A8E092706113119BE7B09FF8F5487427BE0EF00740F00492EE886C6656DBB0E4548F91

Function 0021E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021E3D5

Strings

8%-, xrefs: 0021E3CA
0%-, xrefs: 0021E3B5

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%-$8%-
API String ID: 1385522511-4080731599
Opcode ID: dcdc1834639fcb1b2a35e3b5e1705d12fdc13423c46230e8b45275c7cb6ca139
Instruction ID: 1a8ca7b6fd97f4ff07864cbdc6a61ca26e165344e83661b409d96bab988f8ac7
Opcode Fuzzy Hash: dcdc1834639fcb1b2a35e3b5e1705d12fdc13423c46230e8b45275c7cb6ca139
Instruction Fuzzy Hash: B7E02031831920CBCE0C9758BE9CDDC3391BB343207D102E7F862871D19B301CA58954

Function 00273017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0027302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00273044

Strings

aut, xrefs: 00273038

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d5e83a5432b845fa45c19cd1d793d71e2b5c02bed78045478155d5a1c8914bb4
Instruction ID: 83c185eb732629372461b675e988c048dcdd6afc5175b45cdddb03e07497cdef
Opcode Fuzzy Hash: d5e83a5432b845fa45c19cd1d793d71e2b5c02bed78045478155d5a1c8914bb4
Instruction Fuzzy Hash: 5FD05E7290032877DA20A7A4AC0EFCB3A6CDB05750F0002A2BA59E2091DAB09984CAE0

Function 0025D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0025D220

Strings

%.3d, xrefs: 0025D22B
X64, xrefs: 0025D2A8

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8a793c1add53c46158b806162ca752cfdde3bb9a462cdf76ae3984c0dd261f95
Instruction ID: 1017843061afbe1f380568bd68bc53b2fae006171860eb3fdeced72f99a12d7d
Opcode Fuzzy Hash: 8a793c1add53c46158b806162ca752cfdde3bb9a462cdf76ae3984c0dd261f95
Instruction Fuzzy Hash: 3DD01271C3C108EACBA097D0DC499FAB3BCAB18302F608456FC06D2041D6B4D56CAB65

Function 00292322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0029232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0029233F

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Strings

Shell_TrayWnd, xrefs: 00292325

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2d814dd03a705483d996d183d1b1ef62c0304f582a558e5cf60d6e9d003913fc
Instruction ID: 03b27780f0aceb36338ecbe91bbf885a38c7be07847ba7182262473f076576a5
Opcode Fuzzy Hash: 2d814dd03a705483d996d183d1b1ef62c0304f582a558e5cf60d6e9d003913fc
Instruction Fuzzy Hash: 40D012763E5310B7EA68B770EC4FFC6BA289F40B10F114E177749AA1D4C9F0A855CA54

Function 00292356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0029236C
PostMessageW.USER32(00000000), ref: 00292373

Part of subcall function 0026E97B: Sleep.KERNEL32 ref: 0026E9F3

Strings

Shell_TrayWnd, xrefs: 00292365

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b68f2975503ebf7b03a16dbec5a5b22d00ffa7ac83753d10f3ff04f8e37b6436
Instruction ID: b9086f38f455c62ddab6361448c4858a52e5a6a1cf372da7c7d6388fdd7aa7d4
Opcode Fuzzy Hash: b68f2975503ebf7b03a16dbec5a5b22d00ffa7ac83753d10f3ff04f8e37b6436
Instruction Fuzzy Hash: F5D0A9323D13007AEA68A330EC0FFC6A6289B00B00F110A167205AA0D0C8A0A8108A04

Function 0023BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0023BE93
GetLastError.KERNEL32 ref: 0023BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0023BEFC

Memory Dump Source

Source File: 00000000.00000002.2088569918.0000000000201000.00000020.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true

Associated: 00000000.00000002.2088543800.0000000000200000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088653680.00000000002C2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088717576.00000000002CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088747742.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_200000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e52b74478efa103406cf5388ee31db4e01a5e6e494e5cb4b67dca713910618f3
Instruction ID: 26667fbab4c2ad590f77a6d252ffc599617629661133f7dfef738a7eff3e119f
Opcode Fuzzy Hash: e52b74478efa103406cf5388ee31db4e01a5e6e494e5cb4b67dca713910618f3
Instruction Fuzzy Hash: 88410B75624217EFCF228FA8DC54BBA7BA4EF41710F14516AFA59971A1DB308C21CF60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49742
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:51535

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2222292539.000001EF1F640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2208615495.000001EF1B6B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2227901283.000001EF1F781000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221588370.000001EF1F779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2208189837.000001EF1B847000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2222636761.000001EF1EEBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223338662.000001EF1BC21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2205870963.000001EF1EEBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2208189837.000001EF1B847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222636761.000001EF1EEBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223338662.000001EF1BC21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2238423613.000001EF1BC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF144B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222292539.000001EF1F640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2227901283.000001EF1F781000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221588370.000001EF1F779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2208043708.000001EF1B8E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242530479.000001EF1B8E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2208043708.000001EF1B8E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242530479.000001EF1B8E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2208189837.000001EF1B847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222636761.000001EF1EEBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223338662.000001EF1BC21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2208189837.000001EF1B847000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222636761.000001EF1EEBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223338662.000001EF1BC21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2241482881.000001EF13654000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3286498677.000002255930C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2241482881.000001EF13654000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3286498677.000002255930C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2241482881.000001EF13654000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3286730123.0000021C8C203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3286498677.000002255930C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2221588370.000001EF1F766000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2238423613.000001EF1BC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2239822558.000001EF147FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF144B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2239822558.000001EF147FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227901283.000001EF1F781000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221588370.000001EF1F779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2234549041.000001EF144A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF144FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234549041.000001EF1444E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:51400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.5:51401 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:51399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:51410 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:51411 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:51412 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:51409 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:51576 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:51577 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 51494 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 51577 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51594
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 51576 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51403
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51409
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51402
Source: unknown	Network traffic detected: HTTP traffic on port 51411 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51400
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 51409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 51401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 51594 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51494
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51412
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51577
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51410
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51411
Source: unknown	Network traffic detected: HTTP traffic on port 51412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51576
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51402 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfcef79d-8e8f-4559-9d6f-49315862743e.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfcef79d-8e8f-4559-9d6f-49315862743e.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre