Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574168
MD5:	04d0f18ac9713155e57d1c5e6733c25d
SHA1:	78ad7176da493648aff7a8eb7883e7e0a802b57b
SHA256:	94a25e4bcc070ef78547d1e46fded69e0b5be89dd7e231d61e3db8d8581d8cbd
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 04D0F18AC9713155E57D1C5E6733C25D)

taskkill.exe (PID: 7436 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7540 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7596 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7660 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7720 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7784 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7820 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7836 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8080 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aca0763e-a75f-48d8-92fb-b37409b571e2} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ac5f6d510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7612 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cbb89c-e53b-41c9-8203-635a601926e8} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ad6195210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3512 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2624 -prefMapHandle 2600 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c9482c-04a0-42c9-abee-e7d8adc06386} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21adffef710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7420	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0091EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0091EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0091ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0091EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0090AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00939576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00939576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1686012566.0000000000962000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_00a15b99-f
Source: file.exe, 00000000.00000000.1686012566.0000000000962000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_53dae44a-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a18778bc-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bf12687c-2

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000028EB0DC4AB7 NtQuerySystemInformation,		16_2_0000028EB0DC4AB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000028EB0DFBBB2 NtQuerySystemInformation,		16_2_0000028EB0DFBBB2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0090D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00901201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00901201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0090E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00912046	0_2_00912046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A8060	0_2_008A8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00908298	0_2_00908298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DE4FF	0_2_008DE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D676B	0_2_008D676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00934873	0_2_00934873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CCAA0	0_2_008CCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ACAF0	0_2_008ACAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BCC39	0_2_008BCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D6DD9	0_2_008D6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A91C0	0_2_008A91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BB119	0_2_008BB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1394	0_2_008C1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1706	0_2_008C1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C781B	0_2_008C781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C19B0	0_2_008C19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A7920	0_2_008A7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B997D	0_2_008B997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C7A4A	0_2_008C7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C7CA7	0_2_008C7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1C77	0_2_008C1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D9EEE	0_2_008D9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092BE44	0_2_0092BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C1F32	0_2_008C1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 13_3_00000363DE4E64A6	13_3_00000363DE4E64A6
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000028EB0DC4AB7	16_2_0000028EB0DC4AB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000028EB0DFBBB2	16_2_0000028EB0DFBBB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000028EB0DFBBF2	16_2_0000028EB0DFBBF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000028EB0DFC2DC	16_2_0000028EB0DFC2DC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008C0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008BF9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/41@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009137B5 GetLastError,FormatMessageW,

0_2_009137B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009010BF AdjustTokenPrivileges,CloseHandle,		0_2_009010BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009016C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009151CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0090D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0091648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008A42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932569146.0000021AD7C50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872635315.0000021AE1E6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1926208570.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889335119.0000021AE1E17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 28%
Source: file.exe	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aca0763e-a75f-48d8-92fb-b37409b571e2} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ac5f6d510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cbb89c-e53b-41c9-8203-635a601926e8} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ad6195210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2624 -prefMapHandle 2600 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c9482c-04a0-42c9-abee-e7d8adc06386} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21adffef710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aca0763e-a75f-48d8-92fb-b37409b571e2} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ac5f6d510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cbb89c-e53b-41c9-8203-635a601926e8} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ad6195210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2624 -prefMapHandle 2600 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c9482c-04a0-42c9-abee-e7d8adc06386} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21adffef710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1902847124.0000021AE0901000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000D.00000003.1932502777.0000021AD7CA4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1932502777.0000021AD7CA4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1932502777.0000021AD7CA4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1932193737.0000021AD7CD6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1910938312.0000021AD34A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000D.00000003.1893311046.0000021AD9273000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923002104.0000021AD82A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917632061.0000021AD9273000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878267886.0000021AD9273000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880795750.0000021AD82A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1910938312.0000021AD34A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1909358742.0000021AD34A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1933571604.0000021AD77AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1907759326.0000021AD34AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1932374278.0000021AD7CB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931771487.0000021AD7CFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1933028742.0000021AD77E9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1878057428.0000021AD978D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924998015.0000021AD978D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929548073.0000021AD94ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917336994.0000021AD94ED000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1902847124.0000021AE0901000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb@ source: firefox.exe, 0000000D.00000003.1923779866.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881589534.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1932502777.0000021AD7CA4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1933028742.0000021AD77E9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1923779866.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1932502777.0000021AD7CA4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1933028742.0000021AD77E9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1933571604.0000021AD77AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1933028742.0000021AD77E9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1907759326.0000021AD34AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000D.00000003.1932193737.0000021AD7CD6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1932193737.0000021AD7CD6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1909358742.0000021AD34A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1933028742.0000021AD77E9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1881589534.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1932502777.0000021AD7CA4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.1932193737.0000021AD7CD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932502777.0000021AD7CA4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1933571604.0000021AD77AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1933571604.0000021AD77AF000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C0A76 push ecx; ret

0_2_008C0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008BF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00931C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95969

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000028EB0DC4AB7 rdtsc

16_2_0000028EB0DC4AB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.9 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0090DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009168EE FindFirstFileW,FindClose,	0_2_009168EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0091698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0090D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0090D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00919642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00919642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0091979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00919B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00919B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00915C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00915C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Source: firefox.exe, 00000010.00000002.3565503503.0000028EB14C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf!
Source: firefox.exe, 00000011.00000002.3560713847.0000020938B3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 4
Source: file.exe, 00000000.00000003.1764903761.0000000001366000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765945326.000000000136A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767156540.0000000001371000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3559686461.000001271632A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3560031570.0000028EB0D2A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3564861408.0000020938F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3565368746.0000012716821000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3565503503.0000028EB14D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: file.exe, 00000000.00000003.1688756479.0000000001381000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692004539.0000000001382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%S
Source: file.exe, 00000000.00000003.1754215457.0000000001579000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1766112954.000000000157A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1767930034.000000000157D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3566145954.0000012716900000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3565503503.0000028EB14D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 0000000F.00000002.3566145954.0000012716900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWWn_

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000028EB0DC4AB7 rdtsc

16_2_0000028EB0DC4AB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091EAA2 BlockInput,

0_2_0091EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008D2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C4CE8 mov eax, dword ptr fs:[00000030h]

0_2_008C4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00900B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00900B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008D2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008C083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C09D5 SetUnhandledExceptionFilter,	0_2_008C09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008C0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00901201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008E2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090B226 SendInput,keybd_event,

0_2_0090B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009222DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00900B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00901663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00901663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C0698 cpuid

0_2_008C0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FD21C GetLocalTime,

0_2_008FD21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FD27A GetUserNameW,

0_2_008FD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_008DBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008A42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7420, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00921204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00921204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00921806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00921806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Ransomware.Generic
file.exe	26%	Virustotal		Browse
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
https://youtube.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.14	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1878057428.0000021AD978D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924998015.0000021AD978D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938EC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	firefox.exe, 0000000D.00000003.1911237982.0000021AE09ED000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912067927.0000021AE09F4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910511846.0000021AE09ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3561960632.00000127167C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565203391.0000020939006000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1881954876.0000021ADE235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845759016.0000021ADE232000.00000004.00000800.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.3561960632.0000012716772000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0F86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938E8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1873852778.0000021ADF6EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931771487.0000021AD7CFC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1936275785.0000021ADF799000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1880795750.0000021AD82A5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1794288953.0000021AD7772000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1878057428.0000021AD9769000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1880795750.0000021AD82A5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000D.00000003.1956638355.0000021AD925F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878267886.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893311046.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917632061.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1741142703.0000021AD5C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741331722.0000021AD5C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740458723.0000021AD5C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1739592007.0000021AD5A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740023665.0000021AD5C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com0	firefox.exe, 0000000D.00000003.1923566165.0000021AD81BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942351659.0000021AD81C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3561960632.00000127167C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565203391.0000020939006000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1926897722.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1799910899.0000021AD7A4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ok.ru/	firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1793382028.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1874791878.0000021ADE88B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3561960632.00000127167C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565203391.0000020939006000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1793382028.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938E0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1832518053.0000021AD6E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834555869.0000021AD6F2E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1876400034.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914774302.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955307248.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891385893.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793382028.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1911648432.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926897722.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1928374056.0000021ADF69B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938EC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1938435362.0000021ADDBA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1832518053.0000021AD6E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834555869.0000021AD6F2E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1901125218.0000021AD7922000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1926897722.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1794288953.0000021AD7772000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1936189535.0000021ADF7A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1887811044.0000021AE1FAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871245854.0000021AE1FAE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1873852778.0000021ADF6EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924405588.0000021ADDBB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938E13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1868663876.0000021AD7A1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850636141.0000021AD7A1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000011.00000002.3561580269.0000020938E8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1878057428.0000021AD9769000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1876400034.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914774302.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955307248.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891385893.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793382028.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1832518053.0000021AD6E6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1845759016.0000021ADE217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1745554743.0000021AD5FE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846083449.0000021AD95E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865358789.0000021AD7A8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1745554743.0000021AD5FD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901783171.0000021AD796F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901125218.0000021AD7922000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842119230.0000021AD5FAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942351659.0000021AD81EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956591194.0000021AD9411000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868743331.0000021AD7A14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919195732.0000021AD91D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901305189.0000021AD791B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849459258.0000021AD5FE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849191381.0000021AD749E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863918946.0000021AD7A89000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879768237.0000021AD91D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870311186.0000021AD7A8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874397604.0000021ADF60D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799815708.0000021AD7A81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907861743.0000021AD5FD9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1956638355.0000021AD925F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878267886.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893311046.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917632061.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://youtube.com/	firefox.exe, 0000000D.00000003.1876400034.0000021ADE1A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891385893.0000021ADE1A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793382028.0000021ADE1A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1956638355.0000021AD925F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878267886.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893311046.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917632061.0000021AD925E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false		high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1876400034.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914774302.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955307248.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891385893.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793382028.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1881954876.0000021ADE235000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845759016.0000021ADE232000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1873852778.0000021ADF658000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1869880804.0000021AD582B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883085023.0000021AD5839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1743234561.0000021AD5833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897092593.0000021AD5839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742577760.0000021AD5833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742997987.0000021AD581D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1832518053.0000021AD6E6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1933331221.0000021AD77C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1893311046.0000021AD9273000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940029842.0000021AD927A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917632061.0000021AD9273000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878267886.0000021AD9273000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1832518053.0000021AD6E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834555869.0000021AD6F2E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1869880804.0000021AD582B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883085023.0000021AD5839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1743234561.0000021AD5833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897092593.0000021AD5839000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742577760.0000021AD5833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742997987.0000021AD581D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1911648432.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926897722.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3561960632.00000127167C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565203391.0000020939006000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1936499763.0000021ADF6D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915618286.0000021ADE11A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1935513802.0000021AE1EED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872306114.0000021AE1EA6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1740023665.0000021AD5C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1793382028.0000021ADE1A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900138336.0000021AD79F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740023665.0000021AD5C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1878057428.0000021AD9769000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3561274697.0000012716600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3560336957.0000028EB0D60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561119887.0000020938C40000.00000002.10000000.00040000.00000000.sdmp	false		high
https://twitter.com/	firefox.exe, 0000000D.00000003.1793382028.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vk.com/	firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574168
Start date and time:	2024-12-13 01:34:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/41@73/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.213.181.160, 35.85.93.176, 44.228.225.150, 142.250.181.142, 88.221.134.155, 88.221.134.209, 142.250.181.106, 142.250.181.74, 23.218.208.109, 52.149.20.212, 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7836 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	https://sunjoy.us/FrontEnd/Order/ClientOrder?r=OjOPs86UyCAES$Kc7fW4b3J0sABVed2S0tnrWO6voz0UM4TOsax7EiA	Get hash	malicious	Unknown	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	151.101.129.137
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	151.101.65.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	b3astmode.arm5.elf	Get hash	malicious	Mirai	Browse	34.66.227.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	51.128.98.129
	b3astmode.mpsl.elf	Get hash	malicious	Mirai	Browse	48.72.60.226
	b3astmode.arm5.elf	Get hash	malicious	Mirai	Browse	51.249.27.193
	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	32.193.220.10
	b3astmode.mips.elf	Get hash	malicious	Mirai	Browse	32.110.69.206
	b3astmode.spc.elf	Get hash	malicious	Mirai	Browse	51.197.2.225
	b3astmode.x86.elf	Get hash	malicious	Mirai	Browse	32.111.36.38
	jade.sh4.elf	Get hash	malicious	Mirai	Browse	48.70.30.31
	jade.arm.elf	Get hash	malicious	Mirai	Browse	57.181.207.238

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb0b38c2-3bcf-4223-a6aa-eb03c792117c.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179031751537692
Encrypted:	false
SSDEEP:	192:bjMilRycbhbVbTbfbRbObtbyEl7nMrh3JA6WnSrDtTUd/SkDrW:bYncNhnzFSJsrheBnSrDhUd/4
MD5:	A3DE86499DBCE5A7BB87A027C111445F
SHA1:	5709E02A9AAD49A90343368C2D9C546886708392
SHA-256:	C29636BD402EFBAB2CD8D6E04673D7D5B338B0C1E9FDF14AAEDA134785629F3C
SHA-512:	DEA2489E8A963EEE4D96BF18A98E5EB13D7BFD6CA8BBF395A907CA07A91CE360CD8BBBDBDF952A0615B50B0AD5AFFE3FD13D2B6295B852C0DC8ECDF0ADBEE793
Malicious:	false
Preview:	{"type":"uninstall","id":"cb0b38c2-3bcf-4223-a6aa-eb03c792117c","creationDate":"2024-12-13T02:31:59.865Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb0b38c2-3bcf-4223-a6aa-eb03c792117c.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179031751537692
Encrypted:	false
SSDEEP:	192:bjMilRycbhbVbTbfbRbObtbyEl7nMrh3JA6WnSrDtTUd/SkDrW:bYncNhnzFSJsrheBnSrDhUd/4
MD5:	A3DE86499DBCE5A7BB87A027C111445F
SHA1:	5709E02A9AAD49A90343368C2D9C546886708392
SHA-256:	C29636BD402EFBAB2CD8D6E04673D7D5B338B0C1E9FDF14AAEDA134785629F3C
SHA-512:	DEA2489E8A963EEE4D96BF18A98E5EB13D7BFD6CA8BBF395A907CA07A91CE360CD8BBBDBDF952A0615B50B0AD5AFFE3FD13D2B6295B852C0DC8ECDF0ADBEE793
Malicious:	false
Preview:	{"type":"uninstall","id":"cb0b38c2-3bcf-4223-a6aa-eb03c792117c","creationDate":"2024-12-13T02:31:59.865Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312348752034743
Encrypted:	false
SSDEEP:	24:LdfVLAGTIUx2dWoM153LN8zmudfVLAGswM+bpoqdWoM153LFX1RgmsdfVLAG6lVa:LdC/UgdwoztdCJ6BdwADdCpadwi1
MD5:	B97F03C087C62B3F2CB09A26A3CC51A0
SHA1:	E78B2D46D53EA90A044182AD7FFC11687463A295
SHA-256:	DAA99107AF446753C3ED29224959A28CB2580AC87119D513FE0BD526CF3A4F31
SHA-512:	ADBBA35289C60FC0CFEFB803EE1C842F9F06CA08BBADCB7DA98B4B1BD8039039E17CBED6EEBCB9D3B95B91D94A7034FFAC47CAB313782CBD4333BA352B42D80B
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........6...L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Yp.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Yp.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Yp...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~t?.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312348752034743
Encrypted:	false
SSDEEP:	24:LdfVLAGTIUx2dWoM153LN8zmudfVLAGswM+bpoqdWoM153LFX1RgmsdfVLAG6lVa:LdC/UgdwoztdCJ6BdwADdCpadwi1
MD5:	B97F03C087C62B3F2CB09A26A3CC51A0
SHA1:	E78B2D46D53EA90A044182AD7FFC11687463A295
SHA-256:	DAA99107AF446753C3ED29224959A28CB2580AC87119D513FE0BD526CF3A4F31
SHA-512:	ADBBA35289C60FC0CFEFB803EE1C842F9F06CA08BBADCB7DA98B4B1BD8039039E17CBED6EEBCB9D3B95B91D94A7034FFAC47CAB313782CBD4333BA352B42D80B
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........6...L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Yp.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Yp.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Yp...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~t?.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HF3Z20WF5YJVRHUZUD5O.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312348752034743
Encrypted:	false
SSDEEP:	24:LdfVLAGTIUx2dWoM153LN8zmudfVLAGswM+bpoqdWoM153LFX1RgmsdfVLAG6lVa:LdC/UgdwoztdCJ6BdwADdCpadwi1
MD5:	B97F03C087C62B3F2CB09A26A3CC51A0
SHA1:	E78B2D46D53EA90A044182AD7FFC11687463A295
SHA-256:	DAA99107AF446753C3ED29224959A28CB2580AC87119D513FE0BD526CF3A4F31
SHA-512:	ADBBA35289C60FC0CFEFB803EE1C842F9F06CA08BBADCB7DA98B4B1BD8039039E17CBED6EEBCB9D3B95B91D94A7034FFAC47CAB313782CBD4333BA352B42D80B
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........6...L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Yp.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Yp.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Yp...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~t?.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQDKMV34L7B6IY88EMNA.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312348752034743
Encrypted:	false
SSDEEP:	24:LdfVLAGTIUx2dWoM153LN8zmudfVLAGswM+bpoqdWoM153LFX1RgmsdfVLAG6lVa:LdC/UgdwoztdCJ6BdwADdCpadwi1
MD5:	B97F03C087C62B3F2CB09A26A3CC51A0
SHA1:	E78B2D46D53EA90A044182AD7FFC11687463A295
SHA-256:	DAA99107AF446753C3ED29224959A28CB2580AC87119D513FE0BD526CF3A4F31
SHA-512:	ADBBA35289C60FC0CFEFB803EE1C842F9F06CA08BBADCB7DA98B4B1BD8039039E17CBED6EEBCB9D3B95B91D94A7034FFAC47CAB313782CBD4333BA352B42D80B
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........6...L..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Yp.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Yp.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Yp...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............~t?.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929672696188856
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNW9q:8S+OfJQPUFpOdwNIOdYVjvYcXaNLBJ8P
MD5:	931BA25D1A4AE342D561DBFABAFDCE7C
SHA1:	72C5FB3BFF4F4A98CE4C287458280EC22573F5A2
SHA-256:	C7E7D0EA65E89C40330C4B5CC5C637DA978C0CA5501FE6690794167480E82AD3
SHA-512:	8F00B2359D2BA4F5C19E0650A9C84E44C368397E07046BF5227D536E390D2AC25273D11F6789E34B0241F7CB67E032E38813A3F9C81D373CA4722210C2715910
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929672696188856
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNW9q:8S+OfJQPUFpOdwNIOdYVjvYcXaNLBJ8P
MD5:	931BA25D1A4AE342D561DBFABAFDCE7C
SHA1:	72C5FB3BFF4F4A98CE4C287458280EC22573F5A2
SHA-256:	C7E7D0EA65E89C40330C4B5CC5C637DA978C0CA5501FE6690794167480E82AD3
SHA-512:	8F00B2359D2BA4F5C19E0650A9C84E44C368397E07046BF5227D536E390D2AC25273D11F6789E34B0241F7CB67E032E38813A3F9C81D373CA4722210C2715910
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07330954253084002
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki/t:DLhesh7Owd4+ji
MD5:	C3E34E4A4A3368AAE29CE297C192D7CA
SHA1:	04BD94805CF99B325566D5B2499C313D34C25769
SHA-256:	EA3C0BAC9478E92FE05A0979BAEDB5CEA1C8AF79BAB6D9E2ECCB5FF1A47B1F09
SHA-512:	FBC9B9D817BE0B330CCA912897160F7A636D51BE887B83176D2C41DAB892A9B7052191CE352C874F02A7C240B419C42C43D9EFF8FA9461277270EB0C79D336F5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039751381258926154
Encrypted:	false
SSDEEP:	3:GHlhVVypkvcC4lYldlhVVypkvcC4/Xol8a9//Ylll4llqlyllel4lt:G7VRJ4ihVRJ4AL9XIwlio
MD5:	0759686EFBDBAAA7987589AC50679048
SHA1:	416F2EB64D7393485D35B1388F9731713E4F6D67
SHA-256:	04F66D7275AF8A18A1B47FA2CDA4DACECF9CE7D63CF1519A16AC765EF612973D
SHA-512:	9F8D65AE3C0396DB80029E26C7BF18124B639DFBECF76C0D52108CC83B27811AE7A1957918F6F3627CAAE6F6F9DE55BEC33A7481BD1867BEE1976E61E4933496
Malicious:	false
Preview:	..-.....................x%.;..<..1u.F.T..A..].....-.....................x%.;..<..1u.F.T..A..]...........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11794868465400901
Encrypted:	false
SSDEEP:	24:KFfkvLxsZ+8jxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxWwlZAVZ2i7+:iMVQbJtUnWdU+RVxXqZk
MD5:	1477D24D5305C65F4992B1E2CB1AAB12
SHA1:	6353C7E8BDAF579A91082BB8996A8831E6BEF3A4
SHA-256:	3A0DB69F1C7E56768E9E71BF2DEEEA521391AB2D066FDC3D65E219C09C49545F
SHA-512:	50CBE01F1AF3D4409E590A2A0ACD817E09D8A63C127A1FA162A96281FAF53C9AEBECBB2CE70A24127E9C0B7E49F0159CB4E41F4E560316E1F32D4F0D242E2491
Malicious:	false
Preview:	7....-...........1u.F.T..<4..............1u.F.T..7....].................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4963107070311175
Encrypted:	false
SSDEEP:	192:REnaRtLYbBp68hj4qyaaXn6KbNNDtk5RfGNBw8dESl:RZeeqVgnacwX0
MD5:	4D8F8CEA0C61708EC5ACD82E1829CF1E
SHA1:	70D49BF8BF618723B7BC6F9E6846F84BC5FAFFB5
SHA-256:	43E8D6D722A1755A92FBDE55CEB6B2C856D6F86D8637A3FBCB870673AB5EA3AF
SHA-512:	E41045A027663C109D5E1A063C14E98E0910928A07199D34A74350255FE70CD94324C416015A1D155D3C299B22C2685230F2FD64E929A80F748B5EE204035421
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734057089);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734057089);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734057089);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173405

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4963107070311175
Encrypted:	false
SSDEEP:	192:REnaRtLYbBp68hj4qyaaXn6KbNNDtk5RfGNBw8dESl:RZeeqVgnacwX0
MD5:	4D8F8CEA0C61708EC5ACD82E1829CF1E
SHA1:	70D49BF8BF618723B7BC6F9E6846F84BC5FAFFB5
SHA-256:	43E8D6D722A1755A92FBDE55CEB6B2C856D6F86D8637A3FBCB870673AB5EA3AF
SHA-512:	E41045A027663C109D5E1A063C14E98E0910928A07199D34A74350255FE70CD94324C416015A1D155D3C299B22C2685230F2FD64E929A80F748B5EE204035421
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734057089);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734057089);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734057089);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173405

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1620
Entropy (8bit):	6.391301889821029
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSWELXnIgjxC/pnxQwRls6ZspHoGH3j6xiMDtdvL/5QH2oKq7urD/I00:cpOxpEMnRTZYnGxHDhUgwa4
MD5:	0153B3938D80E94ACBFFA39F71D358F3
SHA1:	A4E954C6FBDF909E5446BC0748790451B096D5E3
SHA-256:	6DD051AA424348C597A7BFB5F67B154F4275EAC5341CAD7A3EBBDA07D8C23A03
SHA-512:	7E604A75464D19A4C73729BFE17BC21A656DFD4F266E5BC6CCA671A22F922613F34B779C04F04FD9633C11CBB85FDB2B06DE05A537303DD65558D790D42578C0
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{754c1797-38a3-4bdf-a0bb-51db877e9330}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734057095163,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate.....wtartTim..P59478...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...68967,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1620
Entropy (8bit):	6.391301889821029
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSWELXnIgjxC/pnxQwRls6ZspHoGH3j6xiMDtdvL/5QH2oKq7urD/I00:cpOxpEMnRTZYnGxHDhUgwa4
MD5:	0153B3938D80E94ACBFFA39F71D358F3
SHA1:	A4E954C6FBDF909E5446BC0748790451B096D5E3
SHA-256:	6DD051AA424348C597A7BFB5F67B154F4275EAC5341CAD7A3EBBDA07D8C23A03
SHA-512:	7E604A75464D19A4C73729BFE17BC21A656DFD4F266E5BC6CCA671A22F922613F34B779C04F04FD9633C11CBB85FDB2B06DE05A537303DD65558D790D42578C0
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{754c1797-38a3-4bdf-a0bb-51db877e9330}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734057095163,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate.....wtartTim..P59478...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...68967,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1620
Entropy (8bit):	6.391301889821029
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSWELXnIgjxC/pnxQwRls6ZspHoGH3j6xiMDtdvL/5QH2oKq7urD/I00:cpOxpEMnRTZYnGxHDhUgwa4
MD5:	0153B3938D80E94ACBFFA39F71D358F3
SHA1:	A4E954C6FBDF909E5446BC0748790451B096D5E3
SHA-256:	6DD051AA424348C597A7BFB5F67B154F4275EAC5341CAD7A3EBBDA07D8C23A03
SHA-512:	7E604A75464D19A4C73729BFE17BC21A656DFD4F266E5BC6CCA671A22F922613F34B779C04F04FD9633C11CBB85FDB2B06DE05A537303DD65558D790D42578C0
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{754c1797-38a3-4bdf-a0bb-51db877e9330}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734057095163,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate.....wtartTim..P59478...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...68967,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0334882801600385
Encrypted:	false
SSDEEP:	48:YrSAYOo6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	358AF1E417B85C0EE99F61E4CDCD8AF6
SHA1:	7E5DC78E9725219CCECA9B4C20D65FB4EE3A96BD
SHA-256:	B2C57B3A7D2AE322BB2E3530AF34D7969AB20833ADAF87847C29292C66D381F0
SHA-512:	DDFEB8C487AAFAC30D500473A9FAAED3CCA4BC5AFDCF92EDA4C051115524925E97DD2C53F3D29FFF4F64C7A7F90078EDC04C3C047B148FF9E72845EBAD8BB46A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T02:31:15.548Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0334882801600385
Encrypted:	false
SSDEEP:	48:YrSAYOo6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	358AF1E417B85C0EE99F61E4CDCD8AF6
SHA1:	7E5DC78E9725219CCECA9B4C20D65FB4EE3A96BD
SHA-256:	B2C57B3A7D2AE322BB2E3530AF34D7969AB20833ADAF87847C29292C66D381F0
SHA-512:	DDFEB8C487AAFAC30D500473A9FAAED3CCA4BC5AFDCF92EDA4C051115524925E97DD2C53F3D29FFF4F64C7A7F90078EDC04C3C047B148FF9E72845EBAD8BB46A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T02:31:15.548Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.704022768887585
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	970'752 bytes
MD5:	04d0f18ac9713155e57d1c5e6733c25d
SHA1:	78ad7176da493648aff7a8eb7883e7e0a802b57b
SHA256:	94a25e4bcc070ef78547d1e46fded69e0b5be89dd7e231d61e3db8d8581d8cbd
SHA512:	3f6c512f4b74e9289dccf1afacf7908ccf1b4328fa3f7178762273ac9b65fcf933da358f481106b8fdcb59711ab4c609086e4d195ab01eae69f9bffea34ddd00
SSDEEP:	24576:3qDEvCTbMWu7rQYlBQcBiT6rprG8abZkOU:3TvC/MTQYxsWR7abmO
TLSH:	65259E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675B7B67 [Fri Dec 13 00:10:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FD1291CCA33h
jmp 00007FD1291CC33Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD1291CC51Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD1291CC4EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD1291CF0DDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FD1291CF128h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FD1291CF111h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x1643c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x1643c	0x16600	e51bf25e66d670409f80173c6f441bfd	False	0.7011936976256983	data	7.175909197456017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xd5c0	data			1.0004751461988304
RT_GROUP_ICON	0xe9ebc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9f34	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9f48	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9f5c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9f70	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea04c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 01:35:34.930697918 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:35:34.930757999 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 01:35:34.931351900 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:35:34.936145067 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:35:34.936161995 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 01:35:36.166151047 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 01:35:36.174482107 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:35:36.186781883 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:35:36.186831951 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 01:35:36.186923027 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:35:36.187416077 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 01:35:36.195034981 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:35:37.577522039 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:37.577558994 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:37.577622890 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:37.577689886 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:37.578447104 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:37.578470945 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:37.579788923 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:37.579803944 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:37.591221094 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:37.591264963 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:37.819360971 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:37.939176083 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:37.939251900 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:37.939414024 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:38.059169054 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:38.720558882 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:38.720638037 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:38.720876932 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:38.720896959 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:38.731713057 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:38.731714010 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:38.732048988 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:38.732083082 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:38.733438969 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:38.733463049 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:38.880372047 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:38.880429983 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:38.880564928 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:38.881985903 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:38.882020950 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:39.027370930 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:39.081960917 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:39.146739960 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:39.146816015 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 01:35:39.146893024 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:39.146994114 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:39.147018909 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 01:35:39.201240063 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:39.287547112 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.287811995 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.289000034 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.289238930 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.289933920 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.290216923 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.290927887 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.290990114 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.293423891 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.293423891 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.293437004 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.293730974 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.293893099 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.295391083 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.295447111 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.295476913 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.295752048 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 01:35:39.297689915 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 01:35:39.321059942 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:39.321170092 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:39.450817108 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:39.570820093 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:39.955513954 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:39.955564976 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:39.955632925 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:39.958770037 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:39.958791018 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:39.959167004 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:39.961559057 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:39.961642981 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:39.961738110 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:39.961803913 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:39.965467930 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:39.965482950 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:39.965573072 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:39.970081091 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:39.970092058 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:39.970176935 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:39.970278978 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:39.970504999 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:39.970541000 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:39.970587015 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:39.970737934 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:39.972008944 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:39.972021103 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:40.028304100 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.116543055 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:40.122622013 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:40.126910925 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:40.126943111 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:40.126975060 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:40.127197981 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:40.127471924 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:40.148165941 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.344613075 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.344813108 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.374156952 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 01:35:40.374485016 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:40.376919031 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:40.376934052 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 01:35:40.377367973 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 01:35:40.378978968 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:40.379036903 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:40.379152060 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 01:35:40.408056974 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.408229113 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.439182043 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:40.439225912 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:40.446105957 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.448307037 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:40.449398994 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:40.449423075 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:40.464880943 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.465025902 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.528359890 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.535902023 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.566040993 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.570687056 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.571249962 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.622066975 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.691139936 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.742147923 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:40.759541035 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.759738922 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:40.879466057 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:41.197140932 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:41.197236061 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.201534033 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.201544046 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:41.201610088 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.201824903 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:41.202580929 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.657013893 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:41.670016050 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:41.670036077 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:41.670093060 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.673800945 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.673810959 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:41.673887014 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.674071074 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 01:35:41.674197912 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 01:35:41.701148987 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:41.845748901 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:41.886123896 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:43.169831038 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:43.170593023 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:43.289625883 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:43.290385962 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:43.484400034 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:43.488559008 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:43.541584969 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:43.541688919 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:43.595521927 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:43.595583916 CET	443	49753	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:43.595752001 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:43.595907927 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:43.595933914 CET	443	49753	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:43.616148949 CET	49754	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:35:43.616178989 CET	443	49754	34.149.100.209	192.168.2.4
Dec 13, 2024 01:35:43.622334003 CET	49754	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:35:43.623795986 CET	49754	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:35:43.623807907 CET	443	49754	34.149.100.209	192.168.2.4
Dec 13, 2024 01:35:43.630131006 CET	49755	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:43.630182981 CET	443	49755	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:43.630259037 CET	49755	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:43.631537914 CET	49755	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:43.631552935 CET	443	49755	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:43.667459011 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:43.667490005 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:43.668616056 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:43.669936895 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:43.669953108 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:44.816183090 CET	443	49753	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:44.816286087 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:44.819005966 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:44.819035053 CET	443	49753	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:44.819401026 CET	443	49753	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:44.821682930 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:44.821767092 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:44.822053909 CET	443	49753	35.244.181.201	192.168.2.4
Dec 13, 2024 01:35:44.822155952 CET	49753	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:35:44.841820955 CET	443	49754	34.149.100.209	192.168.2.4
Dec 13, 2024 01:35:44.841912985 CET	49754	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:35:44.846251965 CET	49754	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:35:44.846282005 CET	443	49754	34.149.100.209	192.168.2.4
Dec 13, 2024 01:35:44.846329927 CET	49754	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:35:44.846545935 CET	443	49754	34.149.100.209	192.168.2.4
Dec 13, 2024 01:35:44.846606016 CET	49754	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:35:44.856231928 CET	443	49755	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:44.856327057 CET	49755	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:44.860833883 CET	49755	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:44.860869884 CET	443	49755	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:44.860928059 CET	49755	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:44.861145020 CET	443	49755	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:44.861202002 CET	49755	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:44.894105911 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:44.894186974 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:44.898391008 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:44.898391008 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:44.898411036 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:44.898691893 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:44.898742914 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.640256882 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:46.705365896 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:46.760509014 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:46.825515985 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:46.893268108 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893347025 CET	443	49759	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:46.893429041 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893472910 CET	443	49760	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:46.893615007 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893672943 CET	49761	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893719912 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893745899 CET	443	49759	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:46.893763065 CET	443	49761	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:46.893785000 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893836021 CET	49761	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893841028 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.893851042 CET	443	49760	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:46.895097971 CET	49761	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:46.895137072 CET	443	49761	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:46.955256939 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:46.995881081 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:47.020904064 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:47.064898968 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:48.111948967 CET	443	49761	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.112165928 CET	49761	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.113795996 CET	443	49760	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.113861084 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.114877939 CET	443	49759	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.115020990 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.196203947 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:48.198770046 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.198841095 CET	443	49759	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.199717045 CET	443	49759	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.202013969 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.202039957 CET	443	49760	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.202934027 CET	443	49760	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.211780071 CET	49761	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.211821079 CET	443	49761	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.211841106 CET	49761	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.211958885 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.211960077 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.212357044 CET	443	49761	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.212510109 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.212510109 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.212532997 CET	443	49759	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.212661982 CET	49761	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.212677956 CET	49759	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.212879896 CET	443	49760	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:48.212985039 CET	49760	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:48.316230059 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:48.542851925 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:48.584888935 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:49.463980913 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:49.583729982 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:49.778959990 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:49.821280956 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:50.018389940 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:50.018490076 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:50.018801928 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:50.020004988 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:50.020040989 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:50.080614090 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:50.200443983 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:50.395636082 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:50.448779106 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:51.332293987 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:51.332628965 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:52.425019026 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:52.425059080 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:52.425117970 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:52.425645113 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 01:35:52.425738096 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:35:53.401035070 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:53.402354956 CET	49767	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:53.402415991 CET	443	49767	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:53.402904034 CET	49767	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:53.405854940 CET	49767	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:53.405886889 CET	443	49767	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:53.521209002 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:53.716191053 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:53.758821964 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:54.318572998 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:54.438560963 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:54.625508070 CET	443	49767	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:54.625614882 CET	49767	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:54.632117033 CET	49767	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:54.632142067 CET	443	49767	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:54.632263899 CET	49767	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:54.632458925 CET	443	49767	34.107.243.93	192.168.2.4
Dec 13, 2024 01:35:54.633263111 CET	49767	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:35:54.633439064 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:54.636145115 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:54.677189112 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:54.755913973 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:54.950922012 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:54.955523014 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:54.993700981 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:35:55.075367928 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:55.270462036 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:35:55.325872898 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:03.735670090 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:03.735697985 CET	443	49768	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:03.735902071 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:03.735902071 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:03.735939980 CET	443	49768	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:03.759552002 CET	49769	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:36:03.759574890 CET	443	49769	35.190.72.216	192.168.2.4
Dec 13, 2024 01:36:03.772062063 CET	49769	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:36:03.773821115 CET	49769	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:36:03.773852110 CET	443	49769	35.190.72.216	192.168.2.4
Dec 13, 2024 01:36:03.904155016 CET	49770	443	192.168.2.4	35.201.103.21
Dec 13, 2024 01:36:03.904206991 CET	443	49770	35.201.103.21	192.168.2.4
Dec 13, 2024 01:36:03.904588938 CET	49770	443	192.168.2.4	35.201.103.21
Dec 13, 2024 01:36:03.906040907 CET	49770	443	192.168.2.4	35.201.103.21
Dec 13, 2024 01:36:03.906073093 CET	443	49770	35.201.103.21	192.168.2.4
Dec 13, 2024 01:36:03.967760086 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:03.967828035 CET	443	49771	151.101.1.91	192.168.2.4
Dec 13, 2024 01:36:03.968048096 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:03.968149900 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:03.968166113 CET	443	49771	151.101.1.91	192.168.2.4
Dec 13, 2024 01:36:04.061007023 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:04.061043978 CET	443	49772	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:04.061233997 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:04.061322927 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:04.061348915 CET	443	49772	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:04.749456882 CET	49773	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:04.749491930 CET	443	49773	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:04.749794006 CET	49773	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:04.751281977 CET	49773	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:04.751292944 CET	443	49773	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:04.954879999 CET	443	49768	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:04.954999924 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:04.958270073 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:04.958298922 CET	443	49768	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:04.958961964 CET	443	49768	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:04.959810019 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:04.961107969 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:04.961218119 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:04.961297989 CET	443	49768	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:04.963080883 CET	49768	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:04.965178013 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:04.994261980 CET	443	49769	35.190.72.216	192.168.2.4
Dec 13, 2024 01:36:04.994293928 CET	443	49769	35.190.72.216	192.168.2.4
Dec 13, 2024 01:36:04.994343996 CET	49769	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:36:04.999356031 CET	49769	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:36:04.999392986 CET	443	49769	35.190.72.216	192.168.2.4
Dec 13, 2024 01:36:04.999465942 CET	49769	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:36:04.999743938 CET	443	49769	35.190.72.216	192.168.2.4
Dec 13, 2024 01:36:05.000010014 CET	49769	443	192.168.2.4	35.190.72.216
Dec 13, 2024 01:36:05.079700947 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.084948063 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.131194115 CET	443	49770	35.201.103.21	192.168.2.4
Dec 13, 2024 01:36:05.131309032 CET	49770	443	192.168.2.4	35.201.103.21
Dec 13, 2024 01:36:05.135839939 CET	49770	443	192.168.2.4	35.201.103.21
Dec 13, 2024 01:36:05.135852098 CET	443	49770	35.201.103.21	192.168.2.4
Dec 13, 2024 01:36:05.135948896 CET	49770	443	192.168.2.4	35.201.103.21
Dec 13, 2024 01:36:05.136113882 CET	443	49770	35.201.103.21	192.168.2.4
Dec 13, 2024 01:36:05.136611938 CET	49770	443	192.168.2.4	35.201.103.21
Dec 13, 2024 01:36:05.149481058 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:05.149555922 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:05.149667025 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:05.149755955 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:05.149775028 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:05.194050074 CET	443	49771	151.101.1.91	192.168.2.4
Dec 13, 2024 01:36:05.194262028 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:05.197570086 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:05.197582960 CET	443	49771	151.101.1.91	192.168.2.4
Dec 13, 2024 01:36:05.197968006 CET	443	49771	151.101.1.91	192.168.2.4
Dec 13, 2024 01:36:05.200942039 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:05.201066971 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:05.201127052 CET	443	49771	151.101.1.91	192.168.2.4
Dec 13, 2024 01:36:05.201241016 CET	49771	443	192.168.2.4	151.101.1.91
Dec 13, 2024 01:36:05.209281921 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.209374905 CET	443	49775	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.209559917 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.209649086 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.209669113 CET	443	49775	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.211354971 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.211411953 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.212241888 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.212387085 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.212415934 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.214941978 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.214994907 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.215112925 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.215210915 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.215225935 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.276284933 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:05.278520107 CET	443	49772	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.279963017 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.283338070 CET	443	49772	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.288218021 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.291080952 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.291100979 CET	443	49772	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.291986942 CET	443	49772	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.294364929 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.294440985 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.294759989 CET	443	49772	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:05.297004938 CET	49772	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:05.297419071 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:05.300673962 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:05.395953894 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.417094946 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.420413971 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.613739967 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.616172075 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.625040054 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:05.661845922 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:05.744805098 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.939618111 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:05.969208956 CET	443	49773	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:05.969350100 CET	49773	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:05.974385977 CET	49773	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:05.974385977 CET	49773	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:05.974395990 CET	443	49773	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:05.974596024 CET	443	49773	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:05.975601912 CET	49773	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:05.977658033 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.000925064 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.097501993 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:06.292757988 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:06.302663088 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.348205090 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.366723061 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:06.366817951 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:06.369823933 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:06.369848013 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:06.370234966 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:06.372940063 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:06.373053074 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:06.373114109 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 01:36:06.373261929 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 01:36:06.377696037 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.422709942 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:06.456846952 CET	443	49775	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.456959009 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.459803104 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.459831953 CET	443	49775	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.460244894 CET	443	49775	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.460278988 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.460361958 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.462454081 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.462466002 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.462794065 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.464406013 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.464716911 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.466974020 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.466980934 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.467463017 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.467539072 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.467740059 CET	443	49775	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.467782021 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.468822956 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.468894958 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.468997955 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.471127987 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.471127987 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.471333981 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 01:36:06.473433971 CET	49775	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.473468065 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.473484993 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.473578930 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 01:36:06.497441053 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:06.618158102 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:06.664793015 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.692703009 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:06.696275949 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.733762980 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:06.816373110 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:07.011060953 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:07.065872908 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:16.693936110 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:16.814259052 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:17.032561064 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:17.152766943 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:23.355720997 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:23.475536108 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:23.670660973 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:23.674576044 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:23.717612028 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:23.794560909 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:23.991210938 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:24.034197092 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:26.245943069 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:26.246046066 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:26.246376038 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:26.247589111 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:26.247622967 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:27.468375921 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:27.468692064 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:27.474952936 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:27.474967957 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:27.475007057 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:27.475233078 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 01:36:27.475503922 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:36:27.478821993 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:27.601711035 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:27.796674013 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:27.800957918 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:27.845597982 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:27.920912027 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:28.116614103 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:28.161958933 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:34.010596991 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.010633945 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:34.010804892 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.010893106 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:34.011233091 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.011416912 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.011425018 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.011431932 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:34.011552095 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.011593103 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:34.027873039 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.027961969 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:34.029107094 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.029277086 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:34.029310942 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.223526955 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.223630905 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.227355957 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.227376938 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.227598906 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.228844881 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.229064941 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.232238054 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.232269049 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.232672930 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.233711958 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.233850002 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.233865023 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.233880997 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.236105919 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.236191034 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.236295938 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.238218069 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.240057945 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:35.242621899 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.242734909 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.246150970 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.246176004 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.246526003 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.248951912 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.249023914 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.249119043 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.249850035 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.359786987 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:35.439327002 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 01:36:35.439467907 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:36:35.555455923 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:35.560161114 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:35.603542089 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:35.680011034 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:35.875143051 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:35.920089960 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:45.569650888 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:45.689917088 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:45.886195898 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:46.006702900 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:55.703898907 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:55.823846102 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:36:56.022422075 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:36:56.142349958 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:05.847366095 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:05.967952967 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:06.148190022 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:06.268152952 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:07.797521114 CET	49882	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:37:07.797563076 CET	443	49882	34.107.243.93	192.168.2.4
Dec 13, 2024 01:37:07.797849894 CET	49882	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:37:07.799468994 CET	49882	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:37:07.799484015 CET	443	49882	34.107.243.93	192.168.2.4
Dec 13, 2024 01:37:09.017503977 CET	443	49882	34.107.243.93	192.168.2.4
Dec 13, 2024 01:37:09.021102905 CET	49882	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:37:09.031013966 CET	49882	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:37:09.031045914 CET	443	49882	34.107.243.93	192.168.2.4
Dec 13, 2024 01:37:09.031109095 CET	49882	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:37:09.031589031 CET	443	49882	34.107.243.93	192.168.2.4
Dec 13, 2024 01:37:09.032721996 CET	49882	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:37:09.034301996 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:09.153980970 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:09.350032091 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:09.355181932 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:09.399530888 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:09.474953890 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:09.674017906 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:09.731339931 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:19.359838963 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:19.479460955 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:19.683880091 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:19.803529978 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:29.489280939 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:29.609247923 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:29.804692984 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:29.924484015 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:39.617600918 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:39.737763882 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:39.940649986 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:40.062360048 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:49.747617960 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:49.867427111 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:50.070682049 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:50.190438032 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:37:59.877832890 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:37:59.999113083 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:00.201280117 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:00.320975065 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:10.007253885 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:10.127008915 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:10.330316067 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:10.450125933 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:20.136451006 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:20.256236076 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:20.459392071 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:20.579308987 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:29.944668055 CET	50052	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:38:29.944705009 CET	443	50052	34.107.243.93	192.168.2.4
Dec 13, 2024 01:38:29.945004940 CET	50052	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:38:29.946346998 CET	50052	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:38:29.946366072 CET	443	50052	34.107.243.93	192.168.2.4
Dec 13, 2024 01:38:30.265419960 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:30.385334969 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:30.588150024 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:30.709319115 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:31.171406031 CET	443	50052	34.107.243.93	192.168.2.4
Dec 13, 2024 01:38:31.171480894 CET	50052	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:38:31.178683043 CET	50052	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:38:31.178689957 CET	443	50052	34.107.243.93	192.168.2.4
Dec 13, 2024 01:38:31.178806067 CET	50052	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:38:31.178893089 CET	443	50052	34.107.243.93	192.168.2.4
Dec 13, 2024 01:38:31.179156065 CET	50052	443	192.168.2.4	34.107.243.93
Dec 13, 2024 01:38:31.182478905 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:31.302315950 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:31.497299910 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:31.504415035 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:31.553468943 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:31.624226093 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:31.819647074 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:31.867337942 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:35.404807091 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.404830933 CET	443	50053	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:35.405107975 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405133963 CET	443	50054	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:35.405252934 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405260086 CET	443	50055	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:35.405407906 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405482054 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405494928 CET	443	50056	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:35.405502081 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405508041 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405613899 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405621052 CET	443	50053	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:35.405760050 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405771971 CET	443	50055	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:35.405837059 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.405849934 CET	443	50054	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:35.406016111 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.406091928 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:35.406112909 CET	443	50056	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.616597891 CET	443	50055	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.616684914 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.617975950 CET	443	50054	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.618114948 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.620937109 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.620945930 CET	443	50055	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.621175051 CET	443	50055	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.621424913 CET	443	50056	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.621501923 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.624406099 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.624422073 CET	443	50054	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.624735117 CET	443	50054	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.625741959 CET	443	50053	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.627027988 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.627058983 CET	443	50056	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.627171993 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.627285004 CET	443	50056	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.629622936 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.629626989 CET	443	50053	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.630029917 CET	443	50053	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.632261992 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.632427931 CET	443	50055	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.632534027 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.632540941 CET	443	50055	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.633382082 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.633526087 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.633553028 CET	443	50054	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.633898020 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.633944988 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.634130001 CET	443	50053	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.634335995 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.634516954 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.634577990 CET	443	50056	34.120.208.123	192.168.2.4
Dec 13, 2024 01:38:36.635103941 CET	50054	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.635113001 CET	50053	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.635128021 CET	50055	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.635138988 CET	50056	443	192.168.2.4	34.120.208.123
Dec 13, 2024 01:38:36.636583090 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:36.756424904 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:36.759881020 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:36.776192904 CET	50057	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:36.896008015 CET	80	50057	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:36.901123047 CET	50057	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:36.901240110 CET	50057	80	192.168.2.4	34.107.221.82
Dec 13, 2024 01:38:37.021146059 CET	80	50057	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:37.989012003 CET	80	50057	34.107.221.82	192.168.2.4
Dec 13, 2024 01:38:38.042727947 CET	50057	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 01:35:34.931307077 CET	58303	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:35.068775892 CET	53	58303	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:35.072623968 CET	59058	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:35.210728884 CET	53	59058	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:37.439270020 CET	61227	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:37.439496040 CET	65104	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:37.576442003 CET	53	61227	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:37.578151941 CET	53671	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:37.715306997 CET	53	53671	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:37.715969086 CET	57825	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:37.819561958 CET	65022	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:37.853638887 CET	53	57825	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.149369955 CET	53	65022	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.158090115 CET	64514	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.246689081 CET	59120	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.295957088 CET	53	64514	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.385287046 CET	53	59120	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.721281052 CET	54630	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.721496105 CET	60867	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.741458893 CET	54216	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.860356092 CET	53	60867	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.860393047 CET	53	54630	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.861360073 CET	55057	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.861618996 CET	61595	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.879195929 CET	53	54216	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.880501986 CET	64092	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.987140894 CET	64427	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:38.998816967 CET	53	61595	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:38.999152899 CET	53	55057	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:39.019033909 CET	53	64092	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:39.019541979 CET	50968	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:39.052560091 CET	56458	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:39.060909033 CET	55460	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:39.062274933 CET	62048	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:39.124485016 CET	53	64427	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:39.147078991 CET	62435	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:39.157946110 CET	53	50968	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:39.190465927 CET	53	56458	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:39.198780060 CET	53	55460	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:39.285197973 CET	53	62435	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:39.285859108 CET	51410	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:39.427103043 CET	53	51410	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:41.130537033 CET	54589	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:41.793529034 CET	53	52858	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.149990082 CET	54876	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.208317995 CET	56810	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.287830114 CET	53	54876	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.296878099 CET	62847	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.346386909 CET	53	56810	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.354619026 CET	54977	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.434490919 CET	53	62847	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.443725109 CET	59608	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.456964970 CET	61811	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.475686073 CET	62913	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.491960049 CET	53	54977	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.492526054 CET	59456	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.593868017 CET	53	61811	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.612833977 CET	53	62913	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.616264105 CET	53509	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.629547119 CET	53	59456	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.667550087 CET	58584	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.746414900 CET	53	59608	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.753411055 CET	53	53509	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.754159927 CET	60503	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.804686069 CET	53	58584	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.805409908 CET	56644	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:43.891524076 CET	53	60503	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:43.944298983 CET	53	56644	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:50.019009113 CET	62398	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:50.157627106 CET	53	62398	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:53.408871889 CET	64682	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:53.547283888 CET	53	64682	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.564115047 CET	53060	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.564472914 CET	49859	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.564666986 CET	55755	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.701675892 CET	53	49859	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.701807976 CET	53	53060	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.702868938 CET	53	55755	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.705535889 CET	56381	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.705535889 CET	60983	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.706182957 CET	56006	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.843116045 CET	53	60983	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.843146086 CET	53	56381	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.844834089 CET	53	56006	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.856071949 CET	50599	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.856955051 CET	54481	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.861622095 CET	54440	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.993810892 CET	53	50599	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.994940996 CET	51753	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:54.995347977 CET	53	54481	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:54.996268034 CET	54825	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:55.002696037 CET	53	54440	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:55.132726908 CET	53	51753	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:55.133784056 CET	53	54825	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:55.134001970 CET	58416	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:55.134799957 CET	58890	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:55.271843910 CET	53	58890	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:55.272819996 CET	64363	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:55.273813009 CET	53	58416	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:55.274400949 CET	64107	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:35:55.410082102 CET	53	64363	1.1.1.1	192.168.2.4
Dec 13, 2024 01:35:55.412410975 CET	53	64107	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:03.732844114 CET	64490	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:03.764858007 CET	52724	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:03.902919054 CET	53	52724	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:03.904608965 CET	61117	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:03.966290951 CET	53	64490	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:03.967771053 CET	49840	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:04.046736002 CET	53	61117	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:04.047792912 CET	52314	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:04.061033010 CET	59588	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:04.106168032 CET	53	49840	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:04.106969118 CET	52858	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:04.248013020 CET	53	52858	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:04.266156912 CET	53	52314	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:04.302544117 CET	53	59588	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:04.749622107 CET	58280	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:04.887103081 CET	53	58280	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:26.246309042 CET	50295	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:26.383711100 CET	53	50295	1.1.1.1	192.168.2.4
Dec 13, 2024 01:36:34.010576010 CET	52964	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:36:34.149925947 CET	53	52964	1.1.1.1	192.168.2.4
Dec 13, 2024 01:37:07.657303095 CET	50958	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:37:07.796082020 CET	53	50958	1.1.1.1	192.168.2.4
Dec 13, 2024 01:37:07.798257113 CET	58672	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:37:07.935446978 CET	53	58672	1.1.1.1	192.168.2.4
Dec 13, 2024 01:37:09.034549952 CET	56108	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:29.666806936 CET	54210	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:29.804838896 CET	53	54210	1.1.1.1	192.168.2.4
Dec 13, 2024 01:38:29.806379080 CET	64812	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:29.943646908 CET	53	64812	1.1.1.1	192.168.2.4
Dec 13, 2024 01:38:29.944608927 CET	59767	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:30.081841946 CET	53	59767	1.1.1.1	192.168.2.4
Dec 13, 2024 01:38:31.182229996 CET	62838	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:31.368664026 CET	62838	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:31.428901911 CET	54353	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:31.567523003 CET	53	54353	1.1.1.1	192.168.2.4
Dec 13, 2024 01:38:35.405703068 CET	63857	53	192.168.2.4	1.1.1.1
Dec 13, 2024 01:38:35.542754889 CET	53	63857	1.1.1.1	192.168.2.4
Dec 13, 2024 01:38:36.637176991 CET	63763	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 01:35:34.931307077 CET	192.168.2.4	1.1.1.1	0x34ab	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:35.072623968 CET	192.168.2.4	1.1.1.1	0x6f2d	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:37.439270020 CET	192.168.2.4	1.1.1.1	0xef6a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:37.439496040 CET	192.168.2.4	1.1.1.1	0xaae	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:37.578151941 CET	192.168.2.4	1.1.1.1	0xe9bb	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:37.715969086 CET	192.168.2.4	1.1.1.1	0xdd0	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:37.819561958 CET	192.168.2.4	1.1.1.1	0x96c9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.158090115 CET	192.168.2.4	1.1.1.1	0x9d80	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:38.246689081 CET	192.168.2.4	1.1.1.1	0x5c66	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.721281052 CET	192.168.2.4	1.1.1.1	0xa94e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.721496105 CET	192.168.2.4	1.1.1.1	0x721a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.741458893 CET	192.168.2.4	1.1.1.1	0xbd40	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.861360073 CET	192.168.2.4	1.1.1.1	0x37d7	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:38.861618996 CET	192.168.2.4	1.1.1.1	0xbb9c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:38.880501986 CET	192.168.2.4	1.1.1.1	0x423a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.987140894 CET	192.168.2.4	1.1.1.1	0x807c	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.019541979 CET	192.168.2.4	1.1.1.1	0xbc08	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:39.052560091 CET	192.168.2.4	1.1.1.1	0xe6f2	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.060909033 CET	192.168.2.4	1.1.1.1	0xb52c	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.062274933 CET	192.168.2.4	1.1.1.1	0x6c9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.147078991 CET	192.168.2.4	1.1.1.1	0x67cd	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.285859108 CET	192.168.2.4	1.1.1.1	0x82bf	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:41.130537033 CET	192.168.2.4	1.1.1.1	0xb4b4	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.149990082 CET	192.168.2.4	1.1.1.1	0xdc13	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.208317995 CET	192.168.2.4	1.1.1.1	0xc6d9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.296878099 CET	192.168.2.4	1.1.1.1	0x98f8	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.354619026 CET	192.168.2.4	1.1.1.1	0x96d1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.443725109 CET	192.168.2.4	1.1.1.1	0x5eda	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:43.456964970 CET	192.168.2.4	1.1.1.1	0x3a95	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:43.475686073 CET	192.168.2.4	1.1.1.1	0xa537	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.492526054 CET	192.168.2.4	1.1.1.1	0xe096	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:43.616264105 CET	192.168.2.4	1.1.1.1	0x9593	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.667550087 CET	192.168.2.4	1.1.1.1	0x118d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.754159927 CET	192.168.2.4	1.1.1.1	0x3c2b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:35:43.805409908 CET	192.168.2.4	1.1.1.1	0x73a9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:50.019009113 CET	192.168.2.4	1.1.1.1	0x9692	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:53.408871889 CET	192.168.2.4	1.1.1.1	0xdede	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:54.564115047 CET	192.168.2.4	1.1.1.1	0xb1f0	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.564472914 CET	192.168.2.4	1.1.1.1	0x9b1f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.564666986 CET	192.168.2.4	1.1.1.1	0x6893	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.705535889 CET	192.168.2.4	1.1.1.1	0xb72d	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.705535889 CET	192.168.2.4	1.1.1.1	0xe2ce	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.706182957 CET	192.168.2.4	1.1.1.1	0xdbf2	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.856071949 CET	192.168.2.4	1.1.1.1	0xc4e3	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:54.856955051 CET	192.168.2.4	1.1.1.1	0x4d55	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:54.861622095 CET	192.168.2.4	1.1.1.1	0x42e5	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 01:35:54.994940996 CET	192.168.2.4	1.1.1.1	0xffae	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.996268034 CET	192.168.2.4	1.1.1.1	0x6d3d	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.134001970 CET	192.168.2.4	1.1.1.1	0xe3af	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.134799957 CET	192.168.2.4	1.1.1.1	0x70b2	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.272819996 CET	192.168.2.4	1.1.1.1	0x6570	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 01:35:55.274400949 CET	192.168.2.4	1.1.1.1	0x93ff	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 01:36:03.732844114 CET	192.168.2.4	1.1.1.1	0xf295	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.764858007 CET	192.168.2.4	1.1.1.1	0x4b10	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.904608965 CET	192.168.2.4	1.1.1.1	0x3f41	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.967771053 CET	192.168.2.4	1.1.1.1	0x87d9	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.047792912 CET	192.168.2.4	1.1.1.1	0xe132	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:36:04.061033010 CET	192.168.2.4	1.1.1.1	0xc6e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:36:04.106969118 CET	192.168.2.4	1.1.1.1	0x6ae1	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 01:36:04.749622107 CET	192.168.2.4	1.1.1.1	0x59c9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:36:26.246309042 CET	192.168.2.4	1.1.1.1	0x2786	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:36:34.010576010 CET	192.168.2.4	1.1.1.1	0x3622	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:37:07.657303095 CET	192.168.2.4	1.1.1.1	0xc5ab	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:37:07.798257113 CET	192.168.2.4	1.1.1.1	0x8e12	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:37:09.034549952 CET	192.168.2.4	1.1.1.1	0xb0a7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:29.666806936 CET	192.168.2.4	1.1.1.1	0xe00c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:29.806379080 CET	192.168.2.4	1.1.1.1	0xec4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:29.944608927 CET	192.168.2.4	1.1.1.1	0xae3d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:38:31.182229996 CET	192.168.2.4	1.1.1.1	0xa61d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:31.368664026 CET	192.168.2.4	1.1.1.1	0xa61d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:31.428901911 CET	192.168.2.4	1.1.1.1	0x43f3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 01:38:35.405703068 CET	192.168.2.4	1.1.1.1	0x73a4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 01:38:36.637176991 CET	192.168.2.4	1.1.1.1	0x464b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 01:35:34.928428888 CET	1.1.1.1	192.168.2.4	0x9afd	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:35.068775892 CET	1.1.1.1	192.168.2.4	0x34ab	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:37.576442003 CET	1.1.1.1	192.168.2.4	0xef6a	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:37.715306997 CET	1.1.1.1	192.168.2.4	0xe9bb	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:37.818566084 CET	1.1.1.1	192.168.2.4	0xaae	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:37.818566084 CET	1.1.1.1	192.168.2.4	0xaae	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:37.853638887 CET	1.1.1.1	192.168.2.4	0xdd0	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 01:35:38.149369955 CET	1.1.1.1	192.168.2.4	0x96c9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.295957088 CET	1.1.1.1	192.168.2.4	0x9d80	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 01:35:38.371819973 CET	1.1.1.1	192.168.2.4	0x23de	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:38.371819973 CET	1.1.1.1	192.168.2.4	0x23de	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.385287046 CET	1.1.1.1	192.168.2.4	0x5c66	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.860356092 CET	1.1.1.1	192.168.2.4	0x721a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.860393047 CET	1.1.1.1	192.168.2.4	0xa94e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:38.879195929 CET	1.1.1.1	192.168.2.4	0xbd40	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:38.879195929 CET	1.1.1.1	192.168.2.4	0xbd40	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.019033909 CET	1.1.1.1	192.168.2.4	0x423a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.124485016 CET	1.1.1.1	192.168.2.4	0x807c	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:39.124485016 CET	1.1.1.1	192.168.2.4	0x807c	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:39.124485016 CET	1.1.1.1	192.168.2.4	0x807c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.190465927 CET	1.1.1.1	192.168.2.4	0xe6f2	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.198780060 CET	1.1.1.1	192.168.2.4	0xb52c	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.198780060 CET	1.1.1.1	192.168.2.4	0xb52c	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.200485945 CET	1.1.1.1	192.168.2.4	0x6c9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:39.200485945 CET	1.1.1.1	192.168.2.4	0x6c9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.285197973 CET	1.1.1.1	192.168.2.4	0x67cd	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:39.427103043 CET	1.1.1.1	192.168.2.4	0x82bf	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 01:35:41.344607115 CET	1.1.1.1	192.168.2.4	0xb4b4	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:43.287830114 CET	1.1.1.1	192.168.2.4	0xdc13	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:43.287830114 CET	1.1.1.1	192.168.2.4	0xdc13	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:43.287830114 CET	1.1.1.1	192.168.2.4	0xdc13	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.346386909 CET	1.1.1.1	192.168.2.4	0xc6d9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.434490919 CET	1.1.1.1	192.168.2.4	0x98f8	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.491960049 CET	1.1.1.1	192.168.2.4	0x96d1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.594460964 CET	1.1.1.1	192.168.2.4	0xdc67	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:43.594460964 CET	1.1.1.1	192.168.2.4	0xdc67	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.612833977 CET	1.1.1.1	192.168.2.4	0xa537	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:43.612833977 CET	1.1.1.1	192.168.2.4	0xa537	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.664396048 CET	1.1.1.1	192.168.2.4	0x4caf	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.753411055 CET	1.1.1.1	192.168.2.4	0x9593	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:43.804686069 CET	1.1.1.1	192.168.2.4	0x118d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:46.891895056 CET	1.1.1.1	192.168.2.4	0x1c38	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:47.031053066 CET	1.1.1.1	192.168.2.4	0x1a1b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:50.017371893 CET	1.1.1.1	192.168.2.4	0xb80	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701675892 CET	1.1.1.1	192.168.2.4	0x9b1f	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701807976 CET	1.1.1.1	192.168.2.4	0xb1f0	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:54.701807976 CET	1.1.1.1	192.168.2.4	0xb1f0	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.702868938 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:54.702868938 CET	1.1.1.1	192.168.2.4	0x6893	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843116045 CET	1.1.1.1	192.168.2.4	0xe2ce	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.843146086 CET	1.1.1.1	192.168.2.4	0xb72d	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.844834089 CET	1.1.1.1	192.168.2.4	0xdbf2	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:54.993810892 CET	1.1.1.1	192.168.2.4	0xc4e3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 01:35:54.993810892 CET	1.1.1.1	192.168.2.4	0xc4e3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 01:35:54.993810892 CET	1.1.1.1	192.168.2.4	0xc4e3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 01:35:54.993810892 CET	1.1.1.1	192.168.2.4	0xc4e3	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 01:35:54.995347977 CET	1.1.1.1	192.168.2.4	0x4d55	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 01:35:55.002696037 CET	1.1.1.1	192.168.2.4	0x42e5	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 01:35:55.132726908 CET	1.1.1.1	192.168.2.4	0xffae	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:35:55.132726908 CET	1.1.1.1	192.168.2.4	0xffae	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.132726908 CET	1.1.1.1	192.168.2.4	0xffae	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.132726908 CET	1.1.1.1	192.168.2.4	0xffae	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.132726908 CET	1.1.1.1	192.168.2.4	0xffae	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.133784056 CET	1.1.1.1	192.168.2.4	0x6d3d	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.271843910 CET	1.1.1.1	192.168.2.4	0x70b2	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.273813009 CET	1.1.1.1	192.168.2.4	0xe3af	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.273813009 CET	1.1.1.1	192.168.2.4	0xe3af	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.273813009 CET	1.1.1.1	192.168.2.4	0xe3af	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:35:55.273813009 CET	1.1.1.1	192.168.2.4	0xe3af	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.902919054 CET	1.1.1.1	192.168.2.4	0x4b10	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:36:03.902919054 CET	1.1.1.1	192.168.2.4	0x4b10	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.966290951 CET	1.1.1.1	192.168.2.4	0xf295	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.966290951 CET	1.1.1.1	192.168.2.4	0xf295	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.966290951 CET	1.1.1.1	192.168.2.4	0xf295	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:03.966290951 CET	1.1.1.1	192.168.2.4	0xf295	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.046736002 CET	1.1.1.1	192.168.2.4	0x3f41	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.059695005 CET	1.1.1.1	192.168.2.4	0xb019	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:36:04.059695005 CET	1.1.1.1	192.168.2.4	0xb019	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.106168032 CET	1.1.1.1	192.168.2.4	0x87d9	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.106168032 CET	1.1.1.1	192.168.2.4	0x87d9	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.106168032 CET	1.1.1.1	192.168.2.4	0x87d9	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.106168032 CET	1.1.1.1	192.168.2.4	0x87d9	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:36:04.248013020 CET	1.1.1.1	192.168.2.4	0x6ae1	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 01:36:04.248013020 CET	1.1.1.1	192.168.2.4	0x6ae1	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 01:36:04.248013020 CET	1.1.1.1	192.168.2.4	0x6ae1	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 01:36:04.248013020 CET	1.1.1.1	192.168.2.4	0x6ae1	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 01:36:06.979847908 CET	1.1.1.1	192.168.2.4	0x3ce6	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:36:06.979847908 CET	1.1.1.1	192.168.2.4	0x3ce6	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:37:07.796082020 CET	1.1.1.1	192.168.2.4	0xc5ab	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:37:09.172324896 CET	1.1.1.1	192.168.2.4	0xb0a7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:37:09.172324896 CET	1.1.1.1	192.168.2.4	0xb0a7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:29.804838896 CET	1.1.1.1	192.168.2.4	0xe00c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:29.943646908 CET	1.1.1.1	192.168.2.4	0xec4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:31.427304029 CET	1.1.1.1	192.168.2.4	0xa61d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:38:31.427304029 CET	1.1.1.1	192.168.2.4	0xa61d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:31.506167889 CET	1.1.1.1	192.168.2.4	0xa61d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:38:31.506167889 CET	1.1.1.1	192.168.2.4	0xa61d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:31.567523003 CET	1.1.1.1	192.168.2.4	0x43f3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 01:38:35.403521061 CET	1.1.1.1	192.168.2.4	0xb6df	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 01:38:36.774857998 CET	1.1.1.1	192.168.2.4	0x464b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 01:38:36.774857998 CET	1.1.1.1	192.168.2.4	0x464b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 01:35:37.939414024 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:39.027370930 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 51973 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:35:40.028304100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:40.344613075 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 51975 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 01:35:39.450817108 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:40.408056974 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73596 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 01:35:40.571249962 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:41.657013893 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73597 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:35:43.169831038 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:43.484400034 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73599 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:35:46.640256882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:46.955256939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73602 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:35:48.196203947 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:48.542851925 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73604 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:35:50.080614090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:50.395636082 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73606 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:35:54.318572998 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:54.633439064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73610 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:35:54.955523014 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:35:55.270462036 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73611 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:05.276284933 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:36:05.297419071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:36:05.613739967 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73621 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:05.625040054 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:36:05.939618111 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73621 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:06.302663088 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:36:06.618158102 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73622 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:06.696275949 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:36:07.011060953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73622 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:17.032561064 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:36:23.674576044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:36:23.991210938 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73639 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:27.800957918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:36:28.116614103 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73643 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:35.560161114 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:36:35.875143051 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73651 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:36:45.886195898 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:36:56.022422075 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:06.148190022 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:09.355181932 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:37:09.674017906 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73685 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 01:37:19.683880091 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:29.804692984 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:39.940649986 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:50.070682049 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:38:00.201280117 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:38:31.504415035 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 01:38:31.819647074 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 04:09:04 GMT Age: 73767 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49751	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 01:35:40.759738922 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:41.845748901 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47879 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:35:43.170593023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:43.488559008 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47881 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:35:46.705365896 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:47.020904064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47884 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:35:49.463980913 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:49.778959990 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47887 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:35:53.401035070 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:53.716191053 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47891 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:35:54.636145115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:35:54.950922012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47892 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:04.959810019 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:36:04.965178013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:36:05.279963017 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47903 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:05.300673962 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:36:05.616172075 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47903 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:05.977658033 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:36:06.292757988 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47904 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:06.377696037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:36:06.692703009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47904 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:16.693936110 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:36:23.355720997 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:36:23.670660973 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47921 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:27.478821993 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:36:27.796674013 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47925 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:35.240057945 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:36:35.555455923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47933 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:36:45.569650888 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:36:55.703898907 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:05.847366095 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:09.034301996 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:37:09.350032091 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 47967 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 01:37:19.359838963 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:29.489280939 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:39.617600918 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:49.747617960 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:37:59.877832890 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 01:38:31.182478905 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:38:31.497299910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 48049 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	50057	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 01:38:36.901240110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 01:38:37.989012003 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 48055 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	19:35:27
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x8a0000
File size:	970'752 bytes
MD5 hash:	04D0F18AC9713155E57D1C5E6733C25D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:35:28
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x390000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:35:28
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:35:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x390000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:35:30
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:35:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x390000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x390000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x390000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:35:31
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	19:35:32
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2196 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aca0763e-a75f-48d8-92fb-b37409b571e2} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ac5f6d510 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:35:35
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5cbb89c-e53b-41c9-8203-635a601926e8} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21ad6195210 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	19:35:42
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2624 -prefMapHandle 2600 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c9482c-04a0-42c9-abee-e7d8adc06386} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 21adffef710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1757
Total number of Limit Nodes:	61

Executed Functions

Function 008A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008A430D

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

GetCurrentProcess.KERNEL32(?,0093CB64,00000000,?,?), ref: 008A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 008A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008A4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 008A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 008A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008A44A0

Strings

|O, xrefs: 008E36F8
GetNativeSystemInfo, xrefs: 008A4460
kernel32.dll, xrefs: 008A444F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 794d1495c881c396c87b0e7d50999da0e225f83d8ad261feb4a2688160d11a09
Instruction ID: 34c6d4b4d64ff018d3b2c154c86b6efde23abbfb5f5cb840d979eaeddb6654e8
Opcode Fuzzy Hash: 794d1495c881c396c87b0e7d50999da0e225f83d8ad261feb4a2688160d11a09
Instruction Fuzzy Hash: B2A1C16393F2C4CFDB11CB7D7C451957FA4BB67304B0858A9E08DE3A62D2604988FB25

Function 008A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008A50AA,?,?,00000000,00000000), ref: 008A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008A50AA,?,?,00000000,00000000), ref: 008A42C9
LoadResource.KERNEL32(?,00000000,?,?,008A50AA,?,?,00000000,00000000,?,?,?,?,?,?,008A4F20), ref: 008E35BE
SizeofResource.KERNEL32(?,00000000,?,?,008A50AA,?,?,00000000,00000000,?,?,?,?,?,?,008A4F20), ref: 008E35D3
LockResource.KERNEL32(008A50AA,?,?,008A50AA,?,?,00000000,00000000,?,?,?,?,?,?,008A4F20,?), ref: 008E35E6

Strings

SCRIPT, xrefs: 008A42BF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 0c187d2bd7ac2d78adcdb4eaffe42c267372cee87725a9c5bddee3076656fd66
Instruction ID: 4e89bad700c7b2ea6c3cdd28a981bae32a6f817ccec0cdf9e2effeb5b867cd05
Opcode Fuzzy Hash: 0c187d2bd7ac2d78adcdb4eaffe42c267372cee87725a9c5bddee3076656fd66
Instruction Fuzzy Hash: 64118EB1240B01BFEB218B65DC48F277BB9FBC6B51F104169F412E6650DBB2DC009B20

Function 008E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 008A2B6B

Part of subcall function 008A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00971418,?,008A2E7F,?,?,?,00000000), ref: 008A3A78

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00962224), ref: 008E2C10
ShellExecuteW.SHELL32(00000000,?,?,00962224), ref: 008E2C17

Strings

runas, xrefs: 008E2C0B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 19eca4aaac9c998bc007b4162aaa3ab91b2ab5305a93feaa0e186b1e844379c4
Instruction ID: f6f8bdc262a9ef7c06530b6c8f3691bb9061aa5a3531814e2b0e197e0bef7e31
Opcode Fuzzy Hash: 19eca4aaac9c998bc007b4162aaa3ab91b2ab5305a93feaa0e186b1e844379c4
Instruction Fuzzy Hash: A911A23210C345ABE724FF6CE8519BE77A4FB93350F44542DF186D25A2CF20864A9713

Function 0090D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0090D501
Process32FirstW.KERNEL32(00000000,?), ref: 0090D50F
Process32NextW.KERNEL32(00000000,?), ref: 0090D52F
CloseHandle.KERNEL32(00000000), ref: 0090D5DC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 65332f9f26b82c30e1406629de1f772d25a5badf74740c3cb08290432b4290cd
Instruction ID: 23aec0889eedeb5002fa7185ad7d14c25772809deddcb79847a152afbbaaf6e6
Opcode Fuzzy Hash: 65332f9f26b82c30e1406629de1f772d25a5badf74740c3cb08290432b4290cd
Instruction Fuzzy Hash: 5C317E711082009FD304EF94CC81AAFBBE8FF9A354F14092DF581962A1EB71A945DB93

Function 0090DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,008E5222), ref: 0090DBCE
GetFileAttributesW.KERNEL32(?), ref: 0090DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0090DBEE
FindClose.KERNEL32(00000000), ref: 0090DBFA

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f86c6d6d568ca98761d01c884ced6213696d7e5bb4423738f1127132d7a70f73
Instruction ID: 87f01e4b61461f32e0ae807371badf4dc1ce89bb2f9de3c32f2f719ab70db620
Opcode Fuzzy Hash: f86c6d6d568ca98761d01c884ced6213696d7e5bb4423738f1127132d7a70f73
Instruction Fuzzy Hash: D5F0A0718299305BD2206BB8AC0D8AB3BAC9E01334B104702F8B6D20E0EBB099549AD5

Function 008FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008FD220

Strings

%.3d, xrefs: 008FD22B
X64, xrefs: 008FD2A8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: cbdb59b31a72b4084501f086e116621be69b618920afb643e1c4a7b20a1b8685
Instruction ID: 4ae411575f28b265853d3c9ba85740ec6eafb0602145b17648941840b0083dde
Opcode Fuzzy Hash: cbdb59b31a72b4084501f086e116621be69b618920afb643e1c4a7b20a1b8685
Instruction Fuzzy Hash: EAD012A180830CE9CB5097F0DC458FAB37DFB08309F508452FB06E1141E634E5086BA2

Function 008C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008D28E9,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002,00000000,?,008D28E9), ref: 008C4D09
TerminateProcess.KERNEL32(00000000,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002,00000000,?,008D28E9), ref: 008C4D10
ExitProcess.KERNEL32 ref: 008C4D22

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 223e6b759f5c8ae50cc1aee933811cf1d09ee98f8ab3309d9b90a0b5621deb2c
Instruction ID: 5732fa361363b6ee3caecfb68e87ab6a273237184b39b185cd4cfe2a9aca824b
Opcode Fuzzy Hash: 223e6b759f5c8ae50cc1aee933811cf1d09ee98f8ab3309d9b90a0b5621deb2c
Instruction Fuzzy Hash: EBE0B671014548ABCF11BF64DD1AF983B79FB41791B104418FD06DA222CB35DD92EF81

Function 008FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008FD28C

Strings

X64, xrefs: 008FD2A8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0c3ea7a283b2920e18e149d3d8ad9d3ca5341c3a709f5022de3818ed065ac360
Instruction ID: 00a02389110520fc66aa38f0a9afd8dbc264585633f236865c363592733f6c64
Opcode Fuzzy Hash: 0c3ea7a283b2920e18e149d3d8ad9d3ca5341c3a709f5022de3818ed065ac360
Instruction Fuzzy Hash: 8BD0C9B581521DEACF94DBA0DC88DD9B37CFB04309F100151F206E2100D73095499F10

Function 0092AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0092B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0092B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0092B1D4
_wcslen.LIBCMT ref: 0092B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0092B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0092B236
_wcslen.LIBCMT ref: 0092B332

Part of subcall function 009105A7: GetStdHandle.KERNEL32(000000F6), ref: 009105C6

_wcslen.LIBCMT ref: 0092B34B
_wcslen.LIBCMT ref: 0092B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0092B3B6
GetLastError.KERNEL32(00000000), ref: 0092B407
CloseHandle.KERNEL32(?), ref: 0092B439
CloseHandle.KERNEL32(00000000), ref: 0092B44A
CloseHandle.KERNEL32(00000000), ref: 0092B45C
CloseHandle.KERNEL32(00000000), ref: 0092B46E
CloseHandle.KERNEL32(?), ref: 0092B4E3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7ec0713b11e7f95cf555213a697b482d2352c514ab7cd6ff8599152246803586
Instruction ID: 909ec3930dc56f7c57484b8b8358167d0e66c939e94a4d1ed047659cf2ad1540
Opcode Fuzzy Hash: 7ec0713b11e7f95cf555213a697b482d2352c514ab7cd6ff8599152246803586
Instruction Fuzzy Hash: FEF188316083109FD714EF28D891B6ABBE5FF85310F18895DF8999B2A6DB31EC44CB52

Function 008AD730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008AD807
timeGetTime.WINMM ref: 008ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008ADB28
TranslateMessage.USER32(?), ref: 008ADB7B
DispatchMessageW.USER32(?), ref: 008ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008ADB9F
Sleep.KERNEL32(0000000A), ref: 008ADBB1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 77e935eb372084906b007281a6b766606b16f140106ddf371b495f55f46816d1
Instruction ID: d07e2b6211c0c383ffa0e9bad99d82c12a026b30aa7108b8c45102aac3e3a762
Opcode Fuzzy Hash: 77e935eb372084906b007281a6b766606b16f140106ddf371b495f55f46816d1
Instruction Fuzzy Hash: 2142D170608749DFE728CF28C844BBABBE0FF46314F184559E596C7AA1D770E884DB92

Function 008A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008A2D07
RegisterClassExW.USER32(00000030), ref: 008A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008A2D42
InitCommonControlsEx.COMCTL32(?), ref: 008A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008A2D6F
LoadIconW.USER32(000000A9), ref: 008A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008A2D94

Strings

+, xrefs: 008A2CF0
AutoIt v3 GUI, xrefs: 008A2D23
0, xrefs: 008A2CE9
TaskbarCreated, xrefs: 008A2D37

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dc56582a461ae5ad0a389d4140b895260494a467d45d2a0cf4d066839c6c8c6a
Instruction ID: a37f747113f53d07f78b38ec784b9e85f509cf75d948de71e464f399af61351a
Opcode Fuzzy Hash: dc56582a461ae5ad0a389d4140b895260494a467d45d2a0cf4d066839c6c8c6a
Instruction Fuzzy Hash: 6921E5B6925308AFDB00DFA8E849BDDBBB4FB08700F00411AFA15B62A0D7B14584DF91

Function 008E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E039A: CreateFileW.KERNEL32(00000000,00000000,?,008E0704,?,?,00000000,?,008E0704,00000000,0000000C), ref: 008E03B7

GetLastError.KERNEL32 ref: 008E076F
__dosmaperr.LIBCMT ref: 008E0776
GetFileType.KERNEL32(00000000), ref: 008E0782
GetLastError.KERNEL32 ref: 008E078C
__dosmaperr.LIBCMT ref: 008E0795
CloseHandle.KERNEL32(00000000), ref: 008E07B5
CloseHandle.KERNEL32(?), ref: 008E08FF
GetLastError.KERNEL32 ref: 008E0931
__dosmaperr.LIBCMT ref: 008E0938

Strings

H, xrefs: 008E08BD

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: de1085bf407ff838a3cbf20ea49d0c017254c2cd9324bfa0cd4ce4e80205b4cc
Instruction ID: c580bf0209528ce911001f83992f5a6b904aeb51b771a49e380c538aa9337c3c
Opcode Fuzzy Hash: de1085bf407ff838a3cbf20ea49d0c017254c2cd9324bfa0cd4ce4e80205b4cc
Instruction Fuzzy Hash: ECA11332A141888FDF19AF68DC51BAE3BA1FB46324F14015DF815EB392C7719892DF92

Function 008A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00971418,?,008A2E7F,?,?,?,00000000), ref: 008A3A78

Part of subcall function 008A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008A3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008E31CE
RegCloseKey.ADVAPI32(?), ref: 008E3210
_wcslen.LIBCMT ref: 008E3277
_wcslen.LIBCMT ref: 008E3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 008A3560
\Include\, xrefs: 008A3527
\, xrefs: 008E328C
Include, xrefs: 008E3184, 008E31C5

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 20e47dc1be59e9c8fd1bc009f10b82ef89a2ea3976375fb0f99dcfca2ed98bc4
Instruction ID: 0868ee465603e562c74e826b9f0d0b2c80f7f4df1ddb0997e75ccee1a981f8c7
Opcode Fuzzy Hash: 20e47dc1be59e9c8fd1bc009f10b82ef89a2ea3976375fb0f99dcfca2ed98bc4
Instruction Fuzzy Hash: B57192724283019ED714DF29DC8696BBBF8FF86B40F40442DF589D71A0EB749A88DB52

Function 008A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 008A2B9D
LoadIconW.USER32(00000063), ref: 008A2BB3
LoadIconW.USER32(000000A4), ref: 008A2BC5
LoadIconW.USER32(000000A2), ref: 008A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008A2BEF
RegisterClassExW.USER32(?), ref: 008A2C40

Part of subcall function 008A2CD4: GetSysColorBrush.USER32(0000000F), ref: 008A2D07
Part of subcall function 008A2CD4: RegisterClassExW.USER32(00000030), ref: 008A2D31
Part of subcall function 008A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008A2D42
Part of subcall function 008A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008A2D5F
Part of subcall function 008A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008A2D6F
Part of subcall function 008A2CD4: LoadIconW.USER32(000000A9), ref: 008A2D85
Part of subcall function 008A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008A2D94

Strings

0, xrefs: 008A2C0F
AutoIt v3, xrefs: 008A2C2F
#, xrefs: 008A2C16

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ea752a0876ffa23cb562fb371d847641a875192406ecf7dd72241e4b8395d134
Instruction ID: eeb1064cdc56fbcabc186672a7cf09d456364ffc12fcabceaaba49da084db606
Opcode Fuzzy Hash: ea752a0876ffa23cb562fb371d847641a875192406ecf7dd72241e4b8395d134
Instruction Fuzzy Hash: 43214FB6E28314AFDB109FA9EC55B9D7FB4FB48B50F00401AF509B66A0D7B14584EF90

Function 008A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008A316A,?,?), ref: 008A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,008A316A,?,?), ref: 008A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008A316A,?,?), ref: 008A3232
CreatePopupMenu.USER32 ref: 008A3246
PostQuitMessage.USER32(00000000), ref: 008A3267

Strings

TaskbarCreated, xrefs: 008A322D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b8b0be46f017976e41e4b6b51f96db2e649f02aed56eb006a2a5c2ce405659a4
Instruction ID: 40b7dfde508125f67e83528208606e3c16f7c6ae2373fa31768824d79ab12dcc
Opcode Fuzzy Hash: b8b0be46f017976e41e4b6b51f96db2e649f02aed56eb006a2a5c2ce405659a4
Instruction Fuzzy Hash: 78415D72368208ABFF251B7CDC0EB793659F747345F044125FA0AD6AE1D7718E40ABA2

Function 008A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008A1459
CoUninitialize.COMBASE ref: 008A14F8
UnregisterHotKey.USER32(?), ref: 008A16DD
DestroyWindow.USER32(?), ref: 008E24B9
FreeLibrary.KERNEL32(?), ref: 008E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008E254B

Strings

close all, xrefs: 008A1454

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 74b62cf78fdbd755c95cbf8fa0b7bd84ae04591fd385b3fcc64c8fd547824ab4
Instruction ID: fb7f55af29d54e88bcaa57d90d645a91f367c719a8f6e873440b6cc030adf329
Opcode Fuzzy Hash: 74b62cf78fdbd755c95cbf8fa0b7bd84ae04591fd385b3fcc64c8fd547824ab4
Instruction Fuzzy Hash: 15D18B31701212CFDB29EF19C999A69F7A4FF06704F1542ADE44AEB662CB30AD12CF51

Function 0090DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0090DE42
gethostname.WS2_32(?,00000100), ref: 0090DE5C
gethostbyname.WS2_32(?), ref: 0090DE69
inet_ntoa.WSOCK32(?), ref: 0090DEAB
_strcat.LIBCMT ref: 0090DEB9
WSACleanup.WSOCK32 ref: 0090DEDE

Strings

0.0.0.0, xrefs: 0090DE87

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1eaadd39c9ae45a9ef0eebdc8dc575106a0ad7655aa359aed4260a449e5daa61
Instruction ID: 8d61b0be9bab2a6af4d0a195a32faf430cf94021d0521f1f70c16419ff2f6d2e
Opcode Fuzzy Hash: 1eaadd39c9ae45a9ef0eebdc8dc575106a0ad7655aa359aed4260a449e5daa61
Instruction Fuzzy Hash: 4E11D372908114AFDB20ABA4DC4AEEE77BCEF51711F000169F545EA0E1EF75CA819F61

Function 008A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,008A1CAD,?), ref: 008A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,008A1CAD,?), ref: 008A2CCF

Strings

AutoIt v3, xrefs: 008A2C89, 008A2C8E, 008A2C8F
edit, xrefs: 008A2CAC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 73ab4d942ea2aa239c8efbb5ed2956fcec79caa113d007102b1440ab4d2a6dd2
Instruction ID: c2ef3384ed1ca060ed0ffcb9456ae9ca997dcc37db48dda685e5f62640ae4c37
Opcode Fuzzy Hash: 73ab4d942ea2aa239c8efbb5ed2956fcec79caa113d007102b1440ab4d2a6dd2
Instruction Fuzzy Hash: 26F0DAB65643907BEB31172BAC09E773EBDD7C6F50F01405AF908A25A0C6611890EEB4

Function 008A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008A3B0F,SwapMouseButtons,00000004,?), ref: 008A3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008A3B0F,SwapMouseButtons,00000004,?), ref: 008A3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,008A3B0F,SwapMouseButtons,00000004,?), ref: 008A3B83

Strings

Control Panel\Mouse, xrefs: 008A3B3E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c3753dc48b0237132d0c6786f33efa689e36a1ce504f6a23f1b43fc2fbf49cc5
Instruction ID: 579bdf0caaaaf684088d53217d414835a44c24a6ea969d6221412de810c87f3c
Opcode Fuzzy Hash: c3753dc48b0237132d0c6786f33efa689e36a1ce504f6a23f1b43fc2fbf49cc5
Instruction Fuzzy Hash: C6112AB5521608FFEB208FA5DC85AAEB7B9FF06754B104459F805E7110D3319E41AB60

Function 008FD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008FD3BF
FreeLibrary.KERNEL32 ref: 008FD3E5

Strings

X64, xrefs: 008FD2A8
GetSystemWow64DirectoryW, xrefs: 008FD3B9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: f392740da7ad44bcb4f2270d2122e7d6669e276c8392ae01ddd26256952632e9
Instruction ID: a440f2b90334d1f9b2ec10789574f91878514baf1154bf08e6a46473b522f1be
Opcode Fuzzy Hash: f392740da7ad44bcb4f2270d2122e7d6669e276c8392ae01ddd26256952632e9
Instruction Fuzzy Hash: 33F020A2809B299BE73112708C549BA3352FF00B05B548029AB02F6249E720DC45ABD3

Function 008ADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008F32B7

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: a73795c9b2976fb15662f52f1644e77cf7052bfa91027c52fb55af9b8147bed6
Instruction ID: 31f04d30764634e2e56ccda0a5db07c713ed3c2d2647723be92ecb063484384c
Opcode Fuzzy Hash: a73795c9b2976fb15662f52f1644e77cf7052bfa91027c52fb55af9b8147bed6
Instruction Fuzzy Hash: 06C2BE71A00219CFEB24CF68C880AADB7B1FF5A314F248969EA05EB791D375ED41CB51

Function 008AEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008AFE66

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: bcb0782832623e5349dd1f70ce5e47a7d76263243321ccfc8a51e20438ba2f47
Instruction ID: 472ad002e5739a14b4942a66c3a72b212b04af4f4d12123c7f07b65e0d7b9da9
Opcode Fuzzy Hash: bcb0782832623e5349dd1f70ce5e47a7d76263243321ccfc8a51e20438ba2f47
Instruction Fuzzy Hash: D2B26975608344CFEB24CF68C480A2AB7E1FB9A314F14496DEA99CB752D771E841CB92

Function 008A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008E33A2

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 008A3A04

Strings

Line: , xrefs: 008E33EB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c873219c4dea24949c5eda1c452fa97540104fb1fd1e9a66b08cc053deb0ee7c
Instruction ID: 69bcef50f29e4522d7c7c450f7385a56b9b8f54841ccc391a17a30bfc3fdb0fd
Opcode Fuzzy Hash: c873219c4dea24949c5eda1c452fa97540104fb1fd1e9a66b08cc053deb0ee7c
Instruction Fuzzy Hash: 3131D271418314ABE725EB28DC46BDBB7E8FB42314F04452AF599D3591EB709A48C7C3

Function 008BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008C0668

Part of subcall function 008C32A4: RaiseException.KERNEL32(?,?,?,008C068A,?,00971444,?,?,?,?,?,?,008C068A,008A1129,00968738,008A1129), ref: 008C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008C0685

Strings

Unknown exception, xrefs: 008C0692

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b0a328c3fc8ff4a6b9f1086a59ed74bc1bb6d508e33167311b69a4988dcd308e
Instruction ID: b9fe535d71caac1e1912a609bf7b77cfc4528359641730693f5781d2a351ed9f
Opcode Fuzzy Hash: b0a328c3fc8ff4a6b9f1086a59ed74bc1bb6d508e33167311b69a4988dcd308e
Instruction Fuzzy Hash: 4AF0C83490030DB78F00BAA8DC46E9E777CFE50354B608539B924D5592EF71DB56CD82

Function 008A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A1BF4
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008A1BFC
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A1C07
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A1C12
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008A1C1A
Part of subcall function 008A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008A1C22

Part of subcall function 008A1B4A: RegisterWindowMessageW.USER32(00000004,?,008A12C4), ref: 008A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008A136A
OleInitialize.OLE32 ref: 008A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008E24AB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4b174d45a07a8f38bc7078f5c3fa9b01ad47b1c056a3a8279779a52ad2e506e7
Instruction ID: 8a2408c5e16636e1b5e5bc675ceae59d821c7595fc7762e6141e7f535f27b7ea
Opcode Fuzzy Hash: 4b174d45a07a8f38bc7078f5c3fa9b01ad47b1c056a3a8279779a52ad2e506e7
Instruction Fuzzy Hash: CA71ACB69393008FD798EF7DA8466953AE4FB89344B54822AE01ED7371EB304480EF56

Function 0090C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0090C259
KillTimer.USER32(?,00000001,?,?), ref: 0090C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0090C270

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 082cd7ca44af97369aa9753fec347f3e217baf90ce9f3179bb971a8799fdb8fa
Instruction ID: 896247d01eb6f700618601432408d83115fa78a76b0b2a1b89ea5ed033e7beca
Opcode Fuzzy Hash: 082cd7ca44af97369aa9753fec347f3e217baf90ce9f3179bb971a8799fdb8fa
Instruction Fuzzy Hash: 173198B1904744AFEB229F688855BD7BBEC9F06304F04049DD5EAA7281C7746A84DB51

Function 008D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,008D85CC,?,00968CC8,0000000C), ref: 008D8704
GetLastError.KERNEL32(?,008D85CC,?,00968CC8,0000000C), ref: 008D870E
__dosmaperr.LIBCMT ref: 008D8739

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 1a1531efdc65dd1700282605a2be001a555168059d1fc0cbcdbfb36e67e9d4cf
Instruction ID: cdba69dce46b2230a4eb971465d7bfa23ce833e9ab027b0326929b3a48b4e481
Opcode Fuzzy Hash: 1a1531efdc65dd1700282605a2be001a555168059d1fc0cbcdbfb36e67e9d4cf
Instruction Fuzzy Hash: 8A012F33605560A6D62876387849B7E6B45FB92774F35031BF814DB3D2DE60CC819151

Function 008ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 008ADB7B
DispatchMessageW.USER32(?), ref: 008ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008ADB9F
Sleep.KERNEL32(0000000A), ref: 008ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 008F1CC9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: b7e0217dacd7d02bdb0eb64ebb69c4c619ab5c60bf2f1692243f6fafc3ea6cbf
Instruction ID: 645709c67a7636974a5aeb7b2bb97c298d99d1b33ed22ec5a765632c7c27be8b
Opcode Fuzzy Hash: b7e0217dacd7d02bdb0eb64ebb69c4c619ab5c60bf2f1692243f6fafc3ea6cbf
Instruction Fuzzy Hash: EAF05E716183449BEB30CB748C49FEA73A8FB45310F104918F65AD34C0DB30A4889F26

Function 008B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008B17F6

Strings

CALL, xrefs: 008B17C6

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f0afbc8d3890886de872df6d024726627b355f07b257a4bdd06f883832dc7571
Instruction ID: d1869057e4c948fb0fe891bb662fcf828880027f7e3602bbd29cad4ea17a3250
Opcode Fuzzy Hash: f0afbc8d3890886de872df6d024726627b355f07b257a4bdd06f883832dc7571
Instruction Fuzzy Hash: 33228B706082059FCB24DF28C498A6ABBF1FF89314F54892DF596CB362D731E855CB92

Function 008B01E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db63a565a2d088ec83a82c4d0317f9b7ff70ede47ab7cb35618eb0defdc3aa4c
Instruction ID: a3c9d10d05f9e792d2ac88b5210594a418bed7478e4f1546ef4848bc6f8f35f1
Opcode Fuzzy Hash: db63a565a2d088ec83a82c4d0317f9b7ff70ede47ab7cb35618eb0defdc3aa4c
Instruction Fuzzy Hash: 8532AE70A006099FDB24DF68C885BBEB7A1FF15314F148529EA15EB3A2D731ED44CB92

Function 008A2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008E2C8C

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

Part of subcall function 008A2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008A2DC4

Strings

X, xrefs: 008E2C5A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: aefb170aeaa8ec84cf02968e8ea80604dfa930c4e3270432cd1e9fad9328fd1e
Instruction ID: d589f4e5a562390aa10204a87ae65bb1198e3c1958da32c877f0b70dba777273
Opcode Fuzzy Hash: aefb170aeaa8ec84cf02968e8ea80604dfa930c4e3270432cd1e9fad9328fd1e
Instruction Fuzzy Hash: 13218171A102989BDB159F98C845BEE7BFCFF4A314F004059E405E7241DBB89A89CBA2

Function 008FD363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 008FD375

Strings

X64, xrefs: 008FD2A8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: b39cafc36a2ce9176229ea246b40f2573198d6b72ee9b219df3dedf19026c4bc
Instruction ID: 54750df529ca9c31a0ee6b76222a5a72949143aa79ab50098b13c704b55409d6
Opcode Fuzzy Hash: b39cafc36a2ce9176229ea246b40f2573198d6b72ee9b219df3dedf19026c4bc
Instruction Fuzzy Hash: 66D0C9B681522CEACB90DB50DC88DEDB37DFB04309F504151F202E2100D730A548AF51

Function 008A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 008A3908

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f406f5309e365501c567c3d1dafe497ed25234be86ab392984236321335a4ac1
Instruction ID: 3ab8742334ed6afdeddf792d24919d079a0cf991e8195eaaac720cef5b0e140d
Opcode Fuzzy Hash: f406f5309e365501c567c3d1dafe497ed25234be86ab392984236321335a4ac1
Instruction Fuzzy Hash: B33193B1508701DFE720DF28D885797BBE8FB4A708F00092EF599D3650E775AA44DB52

Function 008BF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008BF661

Part of subcall function 008AD730: GetInputState.USER32 ref: 008AD807

Sleep.KERNEL32(00000000), ref: 008FF2DE

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 0f5cc62e31be011f9ae3c61fb58937a33553db11abe6cda58bab962738dc9dc2
Instruction ID: 0803f64c3672ff6264edc16713f7dcea30dbd7d21616645e43647f9a493268d8
Opcode Fuzzy Hash: 0f5cc62e31be011f9ae3c61fb58937a33553db11abe6cda58bab962738dc9dc2
Instruction Fuzzy Hash: 2CF020312446049FE300EF7CD809B6AB7E8FF0A320F004029E80AC7762DB70A800CF91

Function 008AB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008ABB4E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ded7d6f1ad141a94f7df9875d0609e29549a9c52761ed086878279a91bcd2bff
Instruction ID: 3121087360a287a53d4b5d03fb38de5773366e9b11edc364478a128d17cd6975
Opcode Fuzzy Hash: ded7d6f1ad141a94f7df9875d0609e29549a9c52761ed086878279a91bcd2bff
Instruction Fuzzy Hash: BC32AB31A0420DDFEB20CF68C894ABAB7B5FF46354F188059EA05EB752D774AD81CB91

Function 008A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E9C
Part of subcall function 008A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008A4EAE
Part of subcall function 008A4E90: FreeLibrary.KERNEL32(00000000,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4EFD

Part of subcall function 008A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E62
Part of subcall function 008A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008A4E74
Part of subcall function 008A4E59: FreeLibrary.KERNEL32(00000000,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E87

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: fcf558f23b3b5955b1288438530cae87e6baa6f8f93231d8155eca3b9ff4af79
Instruction ID: 84ba239294e38345d6c9d51afe7ad75790c1b065bc6fdd9abbe3a7baa57f2e00
Opcode Fuzzy Hash: fcf558f23b3b5955b1288438530cae87e6baa6f8f93231d8155eca3b9ff4af79
Instruction Fuzzy Hash: 7C110132610205AAEF10AB68D802FAD77A4FF81B10F20942DF452E65C1EEB0EE549B52

Function 008D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008D8440

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b5b8377b6b5a7d1952eae7a37ccf93db223b52ac9b462b5bf4e513d9808f3e36
Instruction ID: a202974ee1fd9e2073df72748336ec5eed1420351a644ce7b86d77a23a76d586
Opcode Fuzzy Hash: b5b8377b6b5a7d1952eae7a37ccf93db223b52ac9b462b5bf4e513d9808f3e36
Instruction Fuzzy Hash: 2411067590410AEFCF05DF58E941A9A7BF9FF49314F10415AF808EB312DA31EA118BA5

Function 008D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008D4C7D: RtlAllocateHeap.NTDLL(00000008,008A1129,00000000,?,008D2E29,00000001,00000364,?,?,?,008CF2DE,008D3863,00971444,?,008BFDF5,?), ref: 008D4CBE

_free.LIBCMT ref: 008D506C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 11bfbb45f235386c2ab8dbd240aed79b56f8a3732df6cd371cd678f3f8f67cbb
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 29012672204B046BE321CE699881A5AFBEDFB89370F25061FE184C3380EA30AC05C6B5

Function 008CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 17bf0c624508e8695c9fe6bb14d8a107d6b8874f88645e47c5d7a132950afbcf
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A1F0D132521A14A7D6313A7D9C05F5A37ACFF72334F10072EF421D22D2DA74E801C6A6

Function 008D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,008A1129,00000000,?,008D2E29,00000001,00000364,?,?,?,008CF2DE,008D3863,00971444,?,008BFDF5,?), ref: 008D4CBE

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a233b905661469658735fa0e9bc096fe32d45613cbfc8f8cdd1ddfc2dde59d85
Instruction ID: 4ed82e906b34fd9ad764945383db1f83d8b376dae4a4465ea54c9fbf592878f5
Opcode Fuzzy Hash: a233b905661469658735fa0e9bc096fe32d45613cbfc8f8cdd1ddfc2dde59d85
Instruction Fuzzy Hash: 49F0593122622467DB202F669C05F5A3798FF403B0B04A317F809EA380CBB0D80096E0

Function 008D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 111691db35c2b24a74c02d94fb0be7b593d275b2663e8d464caa11a153b57b9f
Instruction ID: bf5b873ef48edf59926a9145dfdcac60a15a3fd139297befaa38078846b31b6d
Opcode Fuzzy Hash: 111691db35c2b24a74c02d94fb0be7b593d275b2663e8d464caa11a153b57b9f
Instruction Fuzzy Hash: 64E0E53110422457E621266A9C00F9A375AFB427B0F090236BC14D6791CBA0DE01B2E3

Function 008A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4F6D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f789643c0cb88dbbbfe56b7cf680479f107d056f0209f26645ed33fd5376b04d
Instruction ID: c9a47f692c0b8ca48bc107d1a729fad3e5acd55582d93f5cbd43af256301ac6f
Opcode Fuzzy Hash: f789643c0cb88dbbbfe56b7cf680479f107d056f0209f26645ed33fd5376b04d
Instruction Fuzzy Hash: A5F01C71105751CFEB349F64D490812B7E4FF55319320B96EE1DAC2A11CBB19844EF51

Function 00932A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00932A66

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ee4ff87a218946927eddabf2051fa57ec9b2497324555b6dfca00f39c8bb6010
Instruction ID: 297cc52fd49565b60892db9af793d1d93a32bc1f9add929d467acfabf8f80d7b
Opcode Fuzzy Hash: ee4ff87a218946927eddabf2051fa57ec9b2497324555b6dfca00f39c8bb6010
Instruction Fuzzy Hash: F0E0DF7235421AAFC710EB30EC809FA735CEF90394B004436EC26C2180DB3499918AA0

Function 008A30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 008A314E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4d42dd8f441cbeea170b01ad49ff701723feb448e18edf9f47a52fd805383f2f
Instruction ID: 2a48126e71e2ad6658f10fd05c54b0813e24df0bbdb4fa9ef503c407cbaa699b
Opcode Fuzzy Hash: 4d42dd8f441cbeea170b01ad49ff701723feb448e18edf9f47a52fd805383f2f
Instruction Fuzzy Hash: 0CF03771924354DFE7529B28DC4A7D57BBCB701708F0000E9A54CD6292DB7457C8CF51

Function 008A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008A2DC4

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d227b82c201a68b97fadabb98253d0e9b347f2d7af84886c011e00be0a70d53e
Instruction ID: 318f00777a2e192c3099bf043fdc6cc54e6e9f2204b8e78dcbfdc104e2772490
Opcode Fuzzy Hash: d227b82c201a68b97fadabb98253d0e9b347f2d7af84886c011e00be0a70d53e
Instruction Fuzzy Hash: D4E0CD726041245BCB11925C9C05FDA77DDEFC9790F040071FD09E7248D970ED808691

Function 008A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008A3908

Part of subcall function 008AD730: GetInputState.USER32 ref: 008AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 008A2B6B

Part of subcall function 008A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008A314E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: c886523f0a50479f24d803acbaffa00bde7286d958c62dc5dae267a4f0595c72
Instruction ID: 79c08903131ea6acc092a9f1eb21e9816c2cc0cd8f2e210da7e170ee4dce9d35
Opcode Fuzzy Hash: c886523f0a50479f24d803acbaffa00bde7286d958c62dc5dae267a4f0595c72
Instruction Fuzzy Hash: 06E0262230820407E608BB3CA81247DA349FBD3351F00143EF047C3972CE2445454313

Function 0090DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0090DF40

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 2ab4b60e09fb62866aba530e482bf164802bd7d4e1ef5617c0ae16913baa8ed6
Instruction ID: 3a69363f75f69f5b94809d475928de4c82b1adadd44b8f231da18514f6b6d875
Opcode Fuzzy Hash: 2ab4b60e09fb62866aba530e482bf164802bd7d4e1ef5617c0ae16913baa8ed6
Instruction Fuzzy Hash: FCD05EE6A002283BEF60A6749D0DDF73AACD740220F0006A0786ED3152E920DD458AB0

Function 008E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,008E0704,?,?,00000000,?,008E0704,00000000,0000000C), ref: 008E03B7

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8b6a8a04179ce557dd97d449ad1fdf7b20494da15997cfb99d6aef954fa11254
Instruction ID: 5807395c72c428752dc90111eadc4526b9d397182d3b7fdeb30c00eb1d420fdb
Opcode Fuzzy Hash: 8b6a8a04179ce557dd97d449ad1fdf7b20494da15997cfb99d6aef954fa11254
Instruction Fuzzy Hash: 48D06C3205410DBBDF028F84DD06EDA3BAAFB48714F014000BE1866020C732E821AB90

Function 008A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008A1CBC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6113cdf4cadb2ad2667b5ff74f451267730438d6219f2145437aed5de76b3507
Instruction ID: 3112bf99af7940860b43e9068efc9648c24182018aaf42995164260ec926076d
Opcode Fuzzy Hash: 6113cdf4cadb2ad2667b5ff74f451267730438d6219f2145437aed5de76b3507
Instruction Fuzzy Hash: ECC048372A8304ABE2148B94AC4AF107764A348B00F048001F64DA96E383A228A0BA60

Non-executed Functions

Function 00939576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0093961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0093965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0093969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009396C9
SendMessageW.USER32 ref: 009396F2
GetKeyState.USER32(00000011), ref: 0093978B
GetKeyState.USER32(00000009), ref: 00939798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009397AE
GetKeyState.USER32(00000010), ref: 009397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009397E9
SendMessageW.USER32 ref: 00939810
SendMessageW.USER32(?,00001030,?,00937E95), ref: 00939918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0093992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00939941
SetCapture.USER32(?), ref: 0093994A
ClientToScreen.USER32(?,?), ref: 009399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009399D6
ReleaseCapture.USER32 ref: 009399E1
GetCursorPos.USER32(?), ref: 00939A19
ScreenToClient.USER32(?,?), ref: 00939A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00939A80
SendMessageW.USER32 ref: 00939AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00939AEB
SendMessageW.USER32 ref: 00939B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00939B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00939B4A
GetCursorPos.USER32(?), ref: 00939B68
ScreenToClient.USER32(?,?), ref: 00939B75
GetParent.USER32(?), ref: 00939B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00939BFA
SendMessageW.USER32 ref: 00939C2B
ClientToScreen.USER32(?,?), ref: 00939C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00939CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00939CDE
SendMessageW.USER32 ref: 00939D01
ClientToScreen.USER32(?,?), ref: 00939D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00939D82

Part of subcall function 008B9944: GetWindowLongW.USER32(?,000000EB), ref: 008B9952

GetWindowLongW.USER32(?,000000F0), ref: 00939E05

Strings

F, xrefs: 00939D07
@GUI_DRAGID, xrefs: 0093997D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 52ef63b02572bb4ae349b1285c9e6ac6060ed16d1e8fd347c8aa19a0adf25606
Instruction ID: 4089d7433eab0eee1122f87dab27055c99b435a41a99eb489d2b9cd0a1d3d026
Opcode Fuzzy Hash: 52ef63b02572bb4ae349b1285c9e6ac6060ed16d1e8fd347c8aa19a0adf25606
Instruction Fuzzy Hash: 2D42CF75209201AFD724CF28CC45FAABBE9FF49318F100A19F699972A1D7B1E850DF52

Function 00934873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00934908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00934927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0093494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0093495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0093497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00934A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00934A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00934A7E
IsMenu.USER32(?), ref: 00934A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00934AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00934B20
GetWindowLongW.USER32(?,000000F0), ref: 00934B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00934BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00934C82
wsprintfW.USER32 ref: 00934CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00934CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00934CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00934D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00934D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00934D5A

Strings

%d/%02d/%02d, xrefs: 00934CA8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 9c1e49f298ec22d9e7772118ebc45f4aa0e82b1bf1dadf3613757190c3e47fb4
Instruction ID: a732747a39bf44a1e830c29174fd85f281e66b969dc15971c6d20a58c1a9dbea
Opcode Fuzzy Hash: 9c1e49f298ec22d9e7772118ebc45f4aa0e82b1bf1dadf3613757190c3e47fb4
Instruction Fuzzy Hash: 3312FC71600218ABEB248F28CC4AFAE7BF9EF45710F154529F516EA2E1DB78A941CF50

Function 008BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008FF474
IsIconic.USER32(00000000), ref: 008FF47D
ShowWindow.USER32(00000000,00000009), ref: 008FF48A
SetForegroundWindow.USER32(00000000), ref: 008FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008FF4AA
GetCurrentThreadId.KERNEL32 ref: 008FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008FF4DE
SetForegroundWindow.USER32(00000000), ref: 008FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF4F6
keybd_event.USER32(00000012,00000000), ref: 008FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF50B
keybd_event.USER32(00000012,00000000), ref: 008FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF519
keybd_event.USER32(00000012,00000000), ref: 008FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008FF528
keybd_event.USER32(00000012,00000000), ref: 008FF52D
SetForegroundWindow.USER32(00000000), ref: 008FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008FF557

Strings

Shell_TrayWnd, xrefs: 008FF46F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b3b2512468567dcf041dd546504066855ff31234e84b73b4a1daa91650b8a896
Instruction ID: a8b9536f95cf2e626c3b86cab02e790d88740b643704c7ac535b624d4dad7b4e
Opcode Fuzzy Hash: b3b2512468567dcf041dd546504066855ff31234e84b73b4a1daa91650b8a896
Instruction Fuzzy Hash: 26313CB1A5421CBAEB206BB55C4AFBF7E6CFB48B50F100025FB01F6191D6A19910BFA0

Function 00901201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090170D
Part of subcall function 009016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0090173A
Part of subcall function 009016C3: GetLastError.KERNEL32 ref: 0090174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00901286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009012A8
CloseHandle.KERNEL32(?), ref: 009012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009012D1
GetProcessWindowStation.USER32 ref: 009012EA
SetProcessWindowStation.USER32(00000000), ref: 009012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00901310

Part of subcall function 009010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009011FC), ref: 009010D4
Part of subcall function 009010BF: CloseHandle.KERNEL32(?,?,009011FC), ref: 009010E9

Strings

, xrefs: 0090125A
winsta0, xrefs: 009012CC
default, xrefs: 0090130B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: da1cc5a83e6f5ec0c20f0315a678316876cf3dc5524744ba8f89e40e2c4baed8
Instruction ID: c833a75dc1bb559d5130827ff24e968255d7519c8474d755bde3f72bdff8979b
Opcode Fuzzy Hash: da1cc5a83e6f5ec0c20f0315a678316876cf3dc5524744ba8f89e40e2c4baed8
Instruction Fuzzy Hash: 208177B1904209AFDF219FA8DC49BEE7BBDEF04704F144129FA11B62B0C7758A54DB25

Function 00900B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00901114
Part of subcall function 009010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901120
Part of subcall function 009010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 0090112F
Part of subcall function 009010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901136
Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0090114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00900BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00900C00
GetLengthSid.ADVAPI32(?), ref: 00900C17
GetAce.ADVAPI32(?,00000000,?), ref: 00900C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00900C6D
GetLengthSid.ADVAPI32(?), ref: 00900C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00900C8C
HeapAlloc.KERNEL32(00000000), ref: 00900C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00900CB4
CopySid.ADVAPI32(00000000), ref: 00900CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00900CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00900D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00900D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900D45
HeapFree.KERNEL32(00000000), ref: 00900D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900D55
HeapFree.KERNEL32(00000000), ref: 00900D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900D65
HeapFree.KERNEL32(00000000), ref: 00900D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00900D78
HeapFree.KERNEL32(00000000), ref: 00900D7F

Part of subcall function 00901193: GetProcessHeap.KERNEL32(00000008,00900BB1,?,00000000,?,00900BB1,?), ref: 009011A1
Part of subcall function 00901193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00900BB1,?), ref: 009011A8
Part of subcall function 00901193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00900BB1,?), ref: 009011B7

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9f68ef7c7d4cb6347fa18eb94c6991622658cb814711d451243c2889dcca99bf
Instruction ID: b8f26af6aa4dd79b785524469598e3868d6dc298bdd26dfa3579322ae24fef24
Opcode Fuzzy Hash: 9f68ef7c7d4cb6347fa18eb94c6991622658cb814711d451243c2889dcca99bf
Instruction Fuzzy Hash: CB7146B290421AAFDF109FE4DC49BAEBBBCBF44300F044615E914A72D1D771AA05EFA0

Function 0091EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0093CC08), ref: 0091EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0091EB37
GetClipboardData.USER32(0000000D), ref: 0091EB43
CloseClipboard.USER32 ref: 0091EB4F
GlobalLock.KERNEL32(00000000), ref: 0091EB87
CloseClipboard.USER32 ref: 0091EB91
GlobalUnlock.KERNEL32(00000000), ref: 0091EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0091EBC9
GetClipboardData.USER32(00000001), ref: 0091EBD1
GlobalLock.KERNEL32(00000000), ref: 0091EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0091EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0091EC38
GetClipboardData.USER32(0000000F), ref: 0091EC44
GlobalLock.KERNEL32(00000000), ref: 0091EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0091EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0091EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0091ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0091ECF3
CountClipboardFormats.USER32 ref: 0091ED14
CloseClipboard.USER32 ref: 0091ED59

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0c1c05624f43907b1653c3963175cb836f4d69fa54937670cb6a9b43f8fc9d64
Instruction ID: 212cbd7c40c7c3ba852093697ef98e8ac6278fd9a1c35358116232b6817e491e
Opcode Fuzzy Hash: 0c1c05624f43907b1653c3963175cb836f4d69fa54937670cb6a9b43f8fc9d64
Instruction Fuzzy Hash: 3661D0752082069FD300EF24D889FAAB7E8FF85704F084519F856D72A1DB30D985DB62

Function 0091698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009169BE
FindClose.KERNEL32(00000000), ref: 00916A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00916A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00916A75

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00916AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00916ADF

Strings

%4d, xrefs: 00916BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00916B32
%03d, xrefs: 00916DA2
%02d, xrefs: 00916C00, 00916C0A, 00916C5A, 00916CAA, 00916CFA, 00916D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00916B6A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b5f1a93107539738825ed95b8feeef2bd39ca37da8d7a9d376272c6d63f0664a
Instruction ID: e655c1df47a91aa692438c3d6645761bda75c203c9de4612e4360bfade0c9013
Opcode Fuzzy Hash: b5f1a93107539738825ed95b8feeef2bd39ca37da8d7a9d376272c6d63f0664a
Instruction Fuzzy Hash: F8D14EB2908304AED710EBA8C981EABB7ECFF89704F44491DF585D6191EB74DA44CB63

Function 00919642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00919663
GetFileAttributesW.KERNEL32(?), ref: 009196A1
SetFileAttributesW.KERNEL32(?,?), ref: 009196BB
FindNextFileW.KERNEL32(00000000,?), ref: 009196D3
FindClose.KERNEL32(00000000), ref: 009196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0091974A
SetCurrentDirectoryW.KERNEL32(00966B7C), ref: 00919768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00919772
FindClose.KERNEL32(00000000), ref: 0091977F
FindClose.KERNEL32(00000000), ref: 0091978F

Strings

*.*, xrefs: 009196F5

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fdfeaf828f262db0143d225e0ea176e3c0f1b4e9643e0cf5c3256319967b631c
Instruction ID: 48642796dc9e3f982bfb8e59a1f70e0c4bb10748f3d49d17023a5833a5b5c1d7
Opcode Fuzzy Hash: fdfeaf828f262db0143d225e0ea176e3c0f1b4e9643e0cf5c3256319967b631c
Instruction Fuzzy Hash: 8331CE7260461DAADF14AFB4DC18ADE77ACEF49320F104166F815E21E0EB30DA808F20

Function 0091979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00919819
FindClose.KERNEL32(00000000), ref: 00919824
FindFirstFileW.KERNEL32(*.*,?), ref: 00919840
SetCurrentDirectoryW.KERNEL32(?), ref: 00919890
SetCurrentDirectoryW.KERNEL32(00966B7C), ref: 009198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009198B8
FindClose.KERNEL32(00000000), ref: 009198C5
FindClose.KERNEL32(00000000), ref: 009198D5

Part of subcall function 0090DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0090DB00

Strings

*.*, xrefs: 0091983B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: af9bf44b00e83f1dcfb82ab6168389bb31d96368f0c2e0beb1d33da866a44292
Instruction ID: 5ae87352b25b336373fe4061974205245c4f2cf16bdebf5206c26e2c3af68c00
Opcode Fuzzy Hash: af9bf44b00e83f1dcfb82ab6168389bb31d96368f0c2e0beb1d33da866a44292
Instruction Fuzzy Hash: D831C17260461DAEDF10AFB8EC58ADE77ACEF46324F1041A5E815E2190DB30DAC5CF20

Function 0092BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092C9F1
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA68
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0092BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0092BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0092C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0092C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0092C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0092C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0092C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0092C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0092C382
RegCloseKey.ADVAPI32(00000000), ref: 0092C38F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 303c66edb467908e26aff767626946252785fe2f8c5af3bf8a70f4f476c599bd
Instruction ID: ad16a8b02bdf5bfdbc9b7223909c4960766bab56f7b41f431bf41f32fa9a60b8
Opcode Fuzzy Hash: 303c66edb467908e26aff767626946252785fe2f8c5af3bf8a70f4f476c599bd
Instruction Fuzzy Hash: BC024EB16042109FD714DF28D891E2ABBE5FF89314F18889DF849DB2A6DB31EC45CB52

Function 0090D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

Part of subcall function 0090E199: GetFileAttributesW.KERNEL32(?,0090CF95), ref: 0090E19A

FindFirstFileW.KERNEL32(?,?), ref: 0090D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0090D1DD
MoveFileW.KERNEL32(?,?), ref: 0090D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0090D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0090D237

Part of subcall function 0090D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0090D21C,?,?), ref: 0090D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0090D253
FindClose.KERNEL32(00000000), ref: 0090D264

Strings

\*.*, xrefs: 0090D0CD, 0090D0D6, 0090D0EB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 1f6336703d32799676d4b8015b0f7490c82c376a40786bd00327cb9eccb6e197
Instruction ID: 0c1f14712ab154033d45ed328f5e6a00db2d024613926c1467a883590e462b4b
Opcode Fuzzy Hash: 1f6336703d32799676d4b8015b0f7490c82c376a40786bd00327cb9eccb6e197
Instruction Fuzzy Hash: 81618D3180611DAEDF05EBE8DA529EEB7B9FF55300F244065E412B3191EB34AF09DB61

Function 0091ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0091ED91
EmptyClipboard.USER32 ref: 0091ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0091EDAC
CloseClipboard.USER32 ref: 0091EEA3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 54a6f705b0d54168c6a5834bf0d1faf6a18e1551364d40972aad525e3790872f
Instruction ID: 8f448ded11481d57b0e29eae1bc384d3a43bb61bceda27c03c9dba17d6a86df0
Opcode Fuzzy Hash: 54a6f705b0d54168c6a5834bf0d1faf6a18e1551364d40972aad525e3790872f
Instruction Fuzzy Hash: D241E3752086119FE310CF19E849F59BBE5FF44318F14C099E8199B6A2C775EC81CF90

Function 0090E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090170D
Part of subcall function 009016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0090173A
Part of subcall function 009016C3: GetLastError.KERNEL32 ref: 0090174A

ExitWindowsEx.USER32(?,00000000), ref: 0090E932

Strings

, xrefs: 0090E95C
SeShutdownPrivilege, xrefs: 0090E902
@, xrefs: 0090E925
, xrefs: 0090E920

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 3e0add9a7f7d4986e3168d0f7f4ff4605611074b459ef2d6aa8ec02704962be7
Instruction ID: a7930eea2038c95125e3c9dde3df459c0cb409bcf828ffb0774d2e8db217929d
Opcode Fuzzy Hash: 3e0add9a7f7d4986e3168d0f7f4ff4605611074b459ef2d6aa8ec02704962be7
Instruction Fuzzy Hash: B701F973624311AFEB5426B49C86FBF726CA714B90F154D21FC23F21D1D5A55C409690

Function 00921204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00921276
WSAGetLastError.WSOCK32 ref: 00921283
bind.WSOCK32(00000000,?,00000010), ref: 009212BA
WSAGetLastError.WSOCK32 ref: 009212C5
closesocket.WSOCK32(00000000), ref: 009212F4
listen.WSOCK32(00000000,00000005), ref: 00921303
WSAGetLastError.WSOCK32 ref: 0092130D
closesocket.WSOCK32(00000000), ref: 0092133C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 1981f26fc2272f1d824215519ce6cd51926e5beea025552aec0860f8bbd6cda2
Instruction ID: a5eb607accf503e1199a1e8afbd978c15ce9d9e9995367eb791b6f6cb558b904
Opcode Fuzzy Hash: 1981f26fc2272f1d824215519ce6cd51926e5beea025552aec0860f8bbd6cda2
Instruction Fuzzy Hash: 75418171A00110DFD710DF68D488B2ABBE6FF56318F188198E8569F296C771ED85CBE1

Function 0090D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

Part of subcall function 0090E199: GetFileAttributesW.KERNEL32(?,0090CF95), ref: 0090E19A

FindFirstFileW.KERNEL32(?,?), ref: 0090D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0090D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0090D481
FindClose.KERNEL32(00000000), ref: 0090D498
FindClose.KERNEL32(00000000), ref: 0090D4A1

Strings

\*.*, xrefs: 0090D3F2

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dc52cae61c5833ad0cc2199ce30f9f0cd923bfe20010300d8d3519011ccfeed6
Instruction ID: 4e71d5906c0f4fe2125761b1a317d7dc48a8ed9d699239a3dda44484d1b4197b
Opcode Fuzzy Hash: dc52cae61c5833ad0cc2199ce30f9f0cd923bfe20010300d8d3519011ccfeed6
Instruction Fuzzy Hash: 36316D7101D3519FD204EF68D8918AFB7A8FE92304F444A2DF4E1931E1EB24EA09DB63

Function 008DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008DE645

Strings

1#INF, xrefs: 008DF852
1#QNAN, xrefs: 008DF84B
1#SNAN, xrefs: 008DF844
1#IND, xrefs: 008DF83D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 62d486e25aa7d899df57a54d5f2b33d9ef8442c5570b2342f44a0dd83e1cc262
Instruction ID: 10153d4537ce21044981def57e5ab1adb4371220b2c5dc3f17706f2035c24ef9
Opcode Fuzzy Hash: 62d486e25aa7d899df57a54d5f2b33d9ef8442c5570b2342f44a0dd83e1cc262
Instruction Fuzzy Hash: 6FC23771E086288BDB25DE289D407EAB7B5FB48314F1442EBD94EE7341E774AE819F40

Function 0091648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009164DC
CoInitialize.OLE32(00000000), ref: 00916639
CoCreateInstance.OLE32(0093FCF8,00000000,00000001,0093FB68,?), ref: 00916650
CoUninitialize.OLE32 ref: 009168D4

Strings

.lnk, xrefs: 009164BA, 00916524, 009165E0

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c33b0a7fbca94ca86d7bd0012423bc55c18164fd7205c2413eabca83738633d8
Instruction ID: 9cd170edc23716b3f499e2bf68dc8e6e35eaf6616db2d02d9d9496d64f73057f
Opcode Fuzzy Hash: c33b0a7fbca94ca86d7bd0012423bc55c18164fd7205c2413eabca83738633d8
Instruction Fuzzy Hash: 2AD14971608205AFD304EF28C881EABB7E9FF95704F00496DF595CB2A1EB70E945CB92

Function 009222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009222E8

Part of subcall function 0091E4EC: GetWindowRect.USER32(?,?), ref: 0091E504

GetDesktopWindow.USER32 ref: 00922312
GetWindowRect.USER32(00000000), ref: 00922319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00922355
GetCursorPos.USER32(?), ref: 00922381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009223DF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 96368c75c47401da8f076fbb130bb1ff8980d62544bb03934b130e8dc38ff448
Instruction ID: 66d3289851431a5326dc7db64abd6f5d1d8270c509c22d7a0b7160769b8c12ba
Opcode Fuzzy Hash: 96368c75c47401da8f076fbb130bb1ff8980d62544bb03934b130e8dc38ff448
Instruction Fuzzy Hash: 4031E072508715AFD720DF14D849B9BBBA9FFC8714F000A19F985A7191DB34EA08CB92

Function 00919B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00919B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00919C8B

Part of subcall function 00913874: GetInputState.USER32 ref: 009138CB
Part of subcall function 00913874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00913966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00919BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00919C75

Strings

*.*, xrefs: 00919B5D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 66b5248e4ae7c81e755494bfcf101ddfffc63e070aa2cef0eaba6ff22eb802d1
Instruction ID: ec2365143bc92a5f8a6932a06e020f35a5de3df897284f6084778694a296f021
Opcode Fuzzy Hash: 66b5248e4ae7c81e755494bfcf101ddfffc63e070aa2cef0eaba6ff22eb802d1
Instruction Fuzzy Hash: 38417171A4460E9FDF14DF68C855AEEBBB8FF05310F144055F849A2291EB309E84CFA1

Function 008B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008B9A4E
GetSysColor.USER32(0000000F), ref: 008B9B23
SetBkColor.GDI32(?,00000000), ref: 008B9B36

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: e7cce9a6a40e1824c6f0f776d221af069ea214a043b824f246708e175cc52f4b
Instruction ID: 0f47dc5a295d113bef0108f786008e8eda4cd101bc3f0320edb1fb143993689b
Opcode Fuzzy Hash: e7cce9a6a40e1824c6f0f776d221af069ea214a043b824f246708e175cc52f4b
Instruction Fuzzy Hash: 2EA1247121842CAEF738AA3C8C89EFB3A9DFB82314F154109F782D67D1CA259D41D676

Function 00921806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0092304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0092307A
Part of subcall function 0092304E: _wcslen.LIBCMT ref: 0092309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0092185D
WSAGetLastError.WSOCK32 ref: 00921884
bind.WSOCK32(00000000,?,00000010), ref: 009218DB
WSAGetLastError.WSOCK32 ref: 009218E6
closesocket.WSOCK32(00000000), ref: 00921915

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9d24cee37af038661447089df30d0c1e27a78a0ab7c10534bc0e89dca98bdd77
Instruction ID: 74881bfea22350463a66a18ee35bf4f14c0641c4aa731acb2452bdf34bd73351
Opcode Fuzzy Hash: 9d24cee37af038661447089df30d0c1e27a78a0ab7c10534bc0e89dca98bdd77
Instruction Fuzzy Hash: C251D675A00210AFEB10AF28D886F6A77E5EB45718F088458F905AF3C7D771ED41CBA2

Function 00931C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00931CC0
IsWindowEnabled.USER32 ref: 00931CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00931CDB
IsIconic.USER32 ref: 00931CE9
IsZoomed.USER32 ref: 00931CF7

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f47219d67c54f5c2dc8bc42d33dfcef71ce5fe3b6b5c856590a0afcd8f3d34a9
Instruction ID: 6933a362f7d66a7d23252a4629473d0e9036131fc9e90327140f5f4f33983998
Opcode Fuzzy Hash: f47219d67c54f5c2dc8bc42d33dfcef71ce5fe3b6b5c856590a0afcd8f3d34a9
Instruction Fuzzy Hash: 6B21C7717446115FD7208F2AC854B6A7BE9FF85315F199068E88ADB361CB71EC42CF90

Function 008A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008A83E8
VUUU, xrefs: 008A83FA
ERCP, xrefs: 008A813C
VUUU, xrefs: 008E5DF0
VUUU, xrefs: 008A843C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3ec57733b919c63bc93c0b517f7b74deaee4fa810dd7df6427592349b6c28336
Instruction ID: 60563b43b7ba6a6cc6062761c1c864b39b37765dddda4afb37fe19ada32f51ef
Opcode Fuzzy Hash: 3ec57733b919c63bc93c0b517f7b74deaee4fa810dd7df6427592349b6c28336
Instruction Fuzzy Hash: 47A29E70E0065ACBEF24CF59C8447ADB7B1FF56318F2481A9D815E7684EB709D91CB60

Function 0090AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0090AAAC
SetKeyboardState.USER32(00000080), ref: 0090AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0090AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0090AB88

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 30f645b21e6603e6c21f599c1707b184590eda8bec6ee7e5446b66ceb93b9caa
Instruction ID: af8a004f46c46a3033c238185382d1fddd35379ce567b1d4d5ce98cfdb8afd7f
Opcode Fuzzy Hash: 30f645b21e6603e6c21f599c1707b184590eda8bec6ee7e5446b66ceb93b9caa
Instruction Fuzzy Hash: 88311471A40718AEFB358B69CC05BFA7BAEAB94320F04421AF085961D1D378C981D7E2

Function 008DBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008DBB7F

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

GetTimeZoneInformation.KERNEL32 ref: 008DBB91
WideCharToMultiByte.KERNEL32(00000000,?,0097121C,000000FF,?,0000003F,?,?), ref: 008DBC09
WideCharToMultiByte.KERNEL32(00000000,?,00971270,000000FF,?,0000003F,?,?,?,0097121C,000000FF,?,0000003F,?,?), ref: 008DBC36

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3021aed4da65770cd775059c004a60edd30ab3351d964fa4564ad9340b9c7142
Instruction ID: 42f29bcd4e9cdcd85c021cb4518a288458894cdd472ac72611e9f197a2fff5c4
Opcode Fuzzy Hash: 3021aed4da65770cd775059c004a60edd30ab3351d964fa4564ad9340b9c7142
Instruction Fuzzy Hash: FB31BC72918205EFCB14DF6C8C81829BBB8FF5536071547ABE064EB3A2DB309940EB51

Function 0091CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0091CE89
GetLastError.KERNEL32(?,00000000), ref: 0091CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0091CEFE

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 81f26d3caecc9e05dff714a8d0d1231683f169a7ea3b0a9b99ae38fd3693e4f4
Instruction ID: 052e82c570d66a601e7f9592d7af79bdd25249283569ae822560670e4e2e193d
Opcode Fuzzy Hash: 81f26d3caecc9e05dff714a8d0d1231683f169a7ea3b0a9b99ae38fd3693e4f4
Instruction Fuzzy Hash: EE21EDF1640709ABDB20CFA5C948BA7B7FCEB00314F10481EE542E2251E734EE858F90

Function 00908298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009082AA

Strings

|, xrefs: 009082DA
(, xrefs: 009082F0

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e3f097b1eb7f97c44dc82f644c0727552bf39af8f1a5e4a8e4a9ffeff22550c4
Instruction ID: eaa05d7590441a267301869acc77025223dc5c3417f37f2fc61e6b763515753b
Opcode Fuzzy Hash: e3f097b1eb7f97c44dc82f644c0727552bf39af8f1a5e4a8e4a9ffeff22550c4
Instruction Fuzzy Hash: D6322475A007059FCB28CF69C481A6AB7F1FF48710B15C56EE59ADB3A1EB70E981CB40

Function 00915C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00915CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00915D17
FindClose.KERNEL32(?), ref: 00915D5F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 56b7f9dd9ae6171efc03d03253f7902747b2ca304e1f7bb66d24bd30bd44a152
Instruction ID: 05b1e2bd65c3288db4c38d30e2fa2ebe4b848c22a3e54d70ca544aae83a7597e
Opcode Fuzzy Hash: 56b7f9dd9ae6171efc03d03253f7902747b2ca304e1f7bb66d24bd30bd44a152
Instruction Fuzzy Hash: 9E518878704A05DFC714CF28D484A96B7E8FF8A314F16855DE99A8B3A1CB30E884CF91

Function 008D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008D2731

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd4fb490790531b5ec565fb7554ef24e6c93b3e68830cb9306232c4a5a2e201c
Instruction ID: c2cbb8731c6598c864fed96f5efea6ffda9feadc5d9badf1e37a71ac183e6093
Opcode Fuzzy Hash: cd4fb490790531b5ec565fb7554ef24e6c93b3e68830cb9306232c4a5a2e201c
Instruction Fuzzy Hash: 0031C675911228ABCB21DF68DC88B99BBB8FF18310F5042DAE41CA7260E7349F818F45

Function 009151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00915238
SetErrorMode.KERNEL32(00000000), ref: 009152A1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5ecb11e3f4ad7201c5a2f5cb93731477a020fc6a1b5c28c11de221134bf88b09
Instruction ID: 8571e54d4d35edf0dbb83bb3e02c594f9801ed77a6575bd3dcc636af9be30529
Opcode Fuzzy Hash: 5ecb11e3f4ad7201c5a2f5cb93731477a020fc6a1b5c28c11de221134bf88b09
Instruction Fuzzy Hash: 97318C75A04518DFDB00DF94D884EAEBBF4FF49314F098499E805AB3A2CB31E846CB91

Function 009016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008C0668
Part of subcall function 008BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0090173A
GetLastError.KERNEL32 ref: 0090174A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c6b488e3a0a3ad7063cf695afe1b2f17897b2a6388310229138f7f40e24c3a71
Instruction ID: 4f4d3649677f841d9b7e04e766e4a96f5122b1b90e9823a57953f3ca80159083
Opcode Fuzzy Hash: c6b488e3a0a3ad7063cf695afe1b2f17897b2a6388310229138f7f40e24c3a71
Instruction Fuzzy Hash: 2C119EB2514305AFD728AF54DC86DAAB7BDFB44754B24852EE056A7281EB70FC418B20

Function 0090D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0090D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0090D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0090D650

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 75262eb60cb049db775200f4fd4e9380da9af8fdda39e9fbf0b67a4f613ba757
Instruction ID: 5b1010965cf0765324788959865946ec58347b25c4b5df0bbb79242cd460dd59
Opcode Fuzzy Hash: 75262eb60cb049db775200f4fd4e9380da9af8fdda39e9fbf0b67a4f613ba757
Instruction Fuzzy Hash: B0115EB5E05228BFDB108F95DC45FAFBBBCEB45B50F108115F914F7290D6704A059BA1

Function 00901663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0090168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009016A1
FreeSid.ADVAPI32(?), ref: 009016B1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a426588d4258d849b7a4fa2d22a0f8f626e88dcb2b7500b571cea3b4121d8e48
Instruction ID: 9f262887da095570b0d325ae9362af5e3fdcb6e2df0fa651c56060b0fb02e331
Opcode Fuzzy Hash: a426588d4258d849b7a4fa2d22a0f8f626e88dcb2b7500b571cea3b4121d8e48
Instruction Fuzzy Hash: C2F0F4B195430DFBDF00DFE49D89AAEBBBDEB08704F504565E501E2181E774AA449B50

Function 008CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fa422e00e0fc9396f067fb1c4b199e1fffa599102d229db56ff22b486e270376
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 39021A71E002199BDF14CFA9D880BADBBF1FF49314F25816EE919E7380D731AA418B94

Function 009168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00916918
FindClose.KERNEL32(00000000), ref: 00916961

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 43eb4b0dbfec14b07a99a1f981b54e9d651d9ee918bff3924b648c9b855fd8a8
Instruction ID: 5f5406fa62bc75b110b2361ad77b24a52a71b1a7707f973c7082169219edc66e
Opcode Fuzzy Hash: 43eb4b0dbfec14b07a99a1f981b54e9d651d9ee918bff3924b648c9b855fd8a8
Instruction Fuzzy Hash: 0B11D071A046149FD710DF29C884A16BBE4FF85328F04C699E8698F6A2CB30EC45CB91

Function 009137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00924891,?,?,00000035,?), ref: 009137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00924891,?,?,00000035,?), ref: 009137F4

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ad046fa4ab52f40bb34116b2d432f1439bc10362aca8e197b91687bec6f80e48
Instruction ID: 59d163db49131f07d922ecd068c4a9047573490e597f52225d1876219073101b
Opcode Fuzzy Hash: ad046fa4ab52f40bb34116b2d432f1439bc10362aca8e197b91687bec6f80e48
Instruction Fuzzy Hash: 74F0E5B17083292AEB20176A8C4DFEB3AAEEFC5761F000175F509E22C1D9609D44CBB1

Function 0090B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0090B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0090B270

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: cd58375e83042e637dd9828fcd244a758f1e64c1b54e0f5f1306d17e79af6439
Instruction ID: cf11032721abc1c01320bb9ab33970be313b82b7a9aab68339796726c542e741
Opcode Fuzzy Hash: cd58375e83042e637dd9828fcd244a758f1e64c1b54e0f5f1306d17e79af6439
Instruction Fuzzy Hash: D5F01D7181424DAFDB059FA4C805BAE7BB4FF14305F008409F965A5191C37996119F94

Function 009010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009011FC), ref: 009010D4
CloseHandle.KERNEL32(?,?,009011FC), ref: 009010E9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5a00a2a8e737021434191f32963f1d5d70c2be3de4249bbe28292564cb4a5836
Instruction ID: ffb5745959e671bb7d4f51afa7148538cbe4121fe33c4c81047f7da31e494840
Opcode Fuzzy Hash: 5a00a2a8e737021434191f32963f1d5d70c2be3de4249bbe28292564cb4a5836
Instruction Fuzzy Hash: 64E0BF72018610EEE7252B55FC05EB777E9FB04310B14882DF5A5945B1DB62ACA0EB50

Function 008ACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008F0C40

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 5a44528878892e4129adcc4dd1a08b539261ee85170b1efda21dcf50f4f0a8dd
Instruction ID: 48c5e9f2aab1e0f18b4f73c6bdbb45092fd45be67c885449262c00aa4bf3b1c5
Opcode Fuzzy Hash: 5a44528878892e4129adcc4dd1a08b539261ee85170b1efda21dcf50f4f0a8dd
Instruction Fuzzy Hash: 8232687090021C9FEF14DFA4C980AEDB7B5FF06318F248059E906EB692DB75AE45CB61

Function 008D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008D6766,?,?,00000008,?,?,008DFEFE,00000000), ref: 008D6998

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1ccee7e9bf3aac72f2d63e6dbd29aa80a2012f7c7943f55ef23bf3e8107dc210
Instruction ID: 19d16908d0791b2395a795c6aa8aaf72fc2076bb5596efc4fe6ea539752fdc50
Opcode Fuzzy Hash: 1ccee7e9bf3aac72f2d63e6dbd29aa80a2012f7c7943f55ef23bf3e8107dc210
Instruction Fuzzy Hash: 98B1493161060D9FD715CF28C48AB657BA0FF45368F29865AE8D9CF3A2D335E9A1CB40

Function 008BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008F851F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 59458db0cc7f4ab69a6d1ec29d211f66822a0287e71c28149f577277be005412
Instruction ID: eb3aa3950265caaa69fe0014dd71e65b6dbe5ea876fdeb1719458ba9d61f856c
Opcode Fuzzy Hash: 59458db0cc7f4ab69a6d1ec29d211f66822a0287e71c28149f577277be005412
Instruction Fuzzy Hash: F3124D71900229DBDB24CF68C8816EEB7F5FF48710F1481AAE949EB351DB709A85CF94

Function 0091EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0091EABD

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b76b545b9b77be823710e4c34876798f53454cf2e8b3b4c5bf1d6ab2840a4d14
Instruction ID: a784e8dd2be110a889c4a132707d7e8eb6a929f51514b3a5ad8cb5b34142a0a9
Opcode Fuzzy Hash: b76b545b9b77be823710e4c34876798f53454cf2e8b3b4c5bf1d6ab2840a4d14
Instruction Fuzzy Hash: 8DE01A362102049FD710EF69D805E9AB7E9FF99760F008416FC4AD7251DAB0A8808B91

Function 008C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008C03EE), ref: 008C09DA

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9d1afe1b9f499c1e93867b322b5ec24c78e02c511c3a661a0eeec1aab1e800ac
Instruction ID: b625996b6fac9003c8909a6f5cc2e9aa4b8bab71b20c5ed5ddea2bab7c2996a7
Opcode Fuzzy Hash: 9d1afe1b9f499c1e93867b322b5ec24c78e02c511c3a661a0eeec1aab1e800ac
Instruction Fuzzy Hash:

Function 008C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008C798B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d43fb7778c9c6da3e53c998f8de556976e5ee4da3010538eeb317d02e4b9c6a9
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A951796160C6499BDB38452C885DFBE2BB5FB12344F18053DEA82C7682C639DE09DF5A

Function 008D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac99db9e2d892b693e3e66d666a0955d459eba9d10e5ce21869d7c4b5a7e46c9
Instruction ID: fcc6f8ed472159cd47d11dc861259edb91dd93b16ef70e865d95053fa83f28de
Opcode Fuzzy Hash: ac99db9e2d892b693e3e66d666a0955d459eba9d10e5ce21869d7c4b5a7e46c9
Instruction Fuzzy Hash: 88320F26D2DF014DD7239634D822326A359BFB73C5F55C737F81AB5AAAEB28C4835100

Function 008BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cdbe2a99f426c734ebb426bdec9f1985ef94ae5a220063646aa9b10210c521
Instruction ID: 047bde980ebee8999d8e0407479b3657774fff44b2b9fd73867237a9ac34710d
Opcode Fuzzy Hash: 43cdbe2a99f426c734ebb426bdec9f1985ef94ae5a220063646aa9b10210c521
Instruction Fuzzy Hash: 28321631A0411D8BDF28CF39C6A06BE7BA1FB45314F28856AD68ACB391D334DE85DB40

Function 008A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f727cdae8702540710cca5dc1f1b1407df19e1b21812b3701f265d0cfd840d3e
Instruction ID: 3ce751f2e202965c49b6a17013181307200dcfbb1add15bfde08a4fefdfd12bb
Opcode Fuzzy Hash: f727cdae8702540710cca5dc1f1b1407df19e1b21812b3701f265d0cfd840d3e
Instruction Fuzzy Hash: AD22D0B0A04609DFEF14CF69C881AAEB3B5FF46318F144129E812E7691EB35ED11DB61

Function 008A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78118fc4991f79a34b9600247d34aaf0153af4b36ab12b0b236cbc715c4aa724
Instruction ID: 15da6d9f6c12bbe7d447b10d8896e96208d14db4414af6867ac3332eaaa1ad29
Opcode Fuzzy Hash: 78118fc4991f79a34b9600247d34aaf0153af4b36ab12b0b236cbc715c4aa724
Instruction Fuzzy Hash: 3E02C5B0A00119EFDF04DF69D881AAEB7B1FF45304F608169E856DB391EB31EA10CB91

Function 008D9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36cef02aeb63f25022f05315d4a33270b866a9349f2c06ad229a51c52eb36b0d
Instruction ID: bd4989b649c86e40993e5fb1b036e46f1de3598bdb2c2f934c60b6f0119b5e17
Opcode Fuzzy Hash: 36cef02aeb63f25022f05315d4a33270b866a9349f2c06ad229a51c52eb36b0d
Instruction Fuzzy Hash: 4DB1F124D3AF414DC6239A398831336B75CAFBB6D5F91D71BFC1674E22EB2286835140

Function 008C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 43b25562632b2dd4430c7a70fbe3b90345f6a69f8e525bb0297313c24033c393
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: FD9157722080A349DF29463985B8A7DFFF1EA533A1719079DE4F3CA1C6EE34D568D620

Function 008C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c9ab22138bc432c15e7c7f8d1cef37ec41e2a686392ef6727d8372217f8d878c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2D9135722090A349DF69427985BC93DFEF1AA533B5319079DD4F2CA1C2FD34C9699A20

Function 008C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a28044dc8a326d704bfca54066d41e794ed57077e44100218b90f0be6c82404
Instruction ID: aa86a7b12b8c6c117f806dc4b719206a1a74ad25b40dd30e97bf93e48c8ed4d7
Opcode Fuzzy Hash: 9a28044dc8a326d704bfca54066d41e794ed57077e44100218b90f0be6c82404
Instruction Fuzzy Hash: 19616771248719A6DB349A2C8995FBE23B4FF41764F10491EE942DB281DA31DE42CF16

Function 008C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a2e3618aae959998ff9a48ead1f81d88d4ea61a46793cb35964cfe4087537
Instruction ID: 7b4a63ec30be32ae800afa60f5da43673498a16d2c8083864c0f614711f5122c
Opcode Fuzzy Hash: b69a2e3618aae959998ff9a48ead1f81d88d4ea61a46793cb35964cfe4087537
Instruction Fuzzy Hash: 8B617A72248709A7DA384A2C5856FBE23B4FF42B44F10095EFA43CB289D631ED428E56

Function 008C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: aff6b42ac07142c0fd4d4fa20b77ec3d88ec2297355063e7843ec55a0cc06931
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8A8144725090A349DF59423985B893EFFF1FA933A131A47ADD4F2CA1C6EE34C558D620

Function 00912046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4419b22762cce407f25d499c4552a5b59fe23419c1de1eb6ff6efad1950101f5
Instruction ID: 71579a1cda0acb98ab79df22d97053d3318e56f88922e1913630f63ffa1287a9
Opcode Fuzzy Hash: 4419b22762cce407f25d499c4552a5b59fe23419c1de1eb6ff6efad1950101f5
Instruction Fuzzy Hash: 1421A5327306158BD728DF79C8226BA73E9E754310F25862EE4A7C37D1DE39A944DB80

Function 00922ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00922B30
DeleteObject.GDI32(00000000), ref: 00922B43
DestroyWindow.USER32 ref: 00922B52
GetDesktopWindow.USER32 ref: 00922B6D
GetWindowRect.USER32(00000000), ref: 00922B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00922CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00922CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922CF8
GetClientRect.USER32(00000000,?), ref: 00922D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00922D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D80
GlobalLock.KERNEL32(00000000), ref: 00922D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922D98
GlobalUnlock.KERNEL32(00000000), ref: 00922DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922DA8
GlobalFree.KERNEL32(00000000), ref: 00922DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0093FC38,00000000), ref: 00922DDB
GlobalFree.KERNEL32(00000000), ref: 00922DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00922E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00922E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00922E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0092303F

Strings

static, xrefs: 00922D3A, 00922E91
DISPLAY, xrefs: 00922EA2
AutoIt v3, xrefs: 00922CF2
, xrefs: 00922FC5

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5baf9af4493687b35c5b593275ed5284498e8f509cb84701a29c1c38cedf003c
Instruction ID: 7cf30ff64a60da62a033eefa09da3c70851b2d1689825d2a950273ab816cc093
Opcode Fuzzy Hash: 5baf9af4493687b35c5b593275ed5284498e8f509cb84701a29c1c38cedf003c
Instruction Fuzzy Hash: 96028CB2910215AFDB14DFA8DC89EAE7BB9FB49314F048158F915AB2A1C734ED00DF60

Function 009370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0093712F
GetSysColorBrush.USER32(0000000F), ref: 00937160
GetSysColor.USER32(0000000F), ref: 0093716C
SetBkColor.GDI32(?,000000FF), ref: 00937186
SelectObject.GDI32(?,?), ref: 00937195
InflateRect.USER32(?,000000FF,000000FF), ref: 009371C0
GetSysColor.USER32(00000010), ref: 009371C8
CreateSolidBrush.GDI32(00000000), ref: 009371CF
FrameRect.USER32(?,?,00000000), ref: 009371DE
DeleteObject.GDI32(00000000), ref: 009371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00937230
FillRect.USER32(?,?,?), ref: 00937262
GetWindowLongW.USER32(?,000000F0), ref: 00937284

Part of subcall function 009373E8: GetSysColor.USER32(00000012), ref: 00937421
Part of subcall function 009373E8: SetTextColor.GDI32(?,?), ref: 00937425
Part of subcall function 009373E8: GetSysColorBrush.USER32(0000000F), ref: 0093743B
Part of subcall function 009373E8: GetSysColor.USER32(0000000F), ref: 00937446
Part of subcall function 009373E8: GetSysColor.USER32(00000011), ref: 00937463
Part of subcall function 009373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00937471
Part of subcall function 009373E8: SelectObject.GDI32(?,00000000), ref: 00937482
Part of subcall function 009373E8: SetBkColor.GDI32(?,00000000), ref: 0093748B
Part of subcall function 009373E8: SelectObject.GDI32(?,?), ref: 00937498
Part of subcall function 009373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009374B7
Part of subcall function 009373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009374CE
Part of subcall function 009373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009374DB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 927e219e18b83f644f665cfa0f800111538ba8a90e1ba3cd71e33d27cb966950
Instruction ID: 6fa102e0ee423bfe366f19d7f352e4a30e6f022f64f7b772cffba2a6bc5e155a
Opcode Fuzzy Hash: 927e219e18b83f644f665cfa0f800111538ba8a90e1ba3cd71e33d27cb966950
Instruction Fuzzy Hash: 65A1A0B201C701AFDB109FA0DC48E6BBBA9FB49321F100A19F962A61E1D775E944EF51

Function 008B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 008F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008F6F43

Part of subcall function 008B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008B8BE8,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008B8FC5

SendMessageW.USER32(?,00001053), ref: 008F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 008F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 008F6FB7

Strings

0, xrefs: 008F6DCF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 22050a1fc0d1ada9c74f4d5a20deb3c84d223a38921816411ea8669dbbdbfe4f
Instruction ID: 7c6d6f634aa7d1f58586d4f2f0695ece57dc7a4d60d31d37c71ebcd43f20bdbc
Opcode Fuzzy Hash: 22050a1fc0d1ada9c74f4d5a20deb3c84d223a38921816411ea8669dbbdbfe4f
Instruction Fuzzy Hash: 5312AB31204209EFDB25DF28D844BB6B7A5FB44310F144269F689DB261DB31ECA2EF91

Function 00922711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0092273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0092286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00922900
GetClientRect.USER32(00000000,?), ref: 0092290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00922955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00922964
GetStockObject.GDI32(00000011), ref: 00922974
SelectObject.GDI32(00000000,00000000), ref: 00922978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00922988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00922991
DeleteDC.GDI32(00000000), ref: 0092299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00922A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00922A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00922A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00922A77
GetStockObject.GDI32(00000011), ref: 00922A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00922A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00922A97

Strings

msctls_progress32, xrefs: 00922A13
static, xrefs: 0092294F, 00922A71
DISPLAY, xrefs: 0092295A
AutoIt v3, xrefs: 009228F8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 461aa6686ee363137a55a85a9b9bbb1dfeccaec106098a772f1e814dc6b530e3
Instruction ID: ec5cceecd998c73bb60afca82fec74b6881d5d72497d6c3fc2fadcf079bd8cf7
Opcode Fuzzy Hash: 461aa6686ee363137a55a85a9b9bbb1dfeccaec106098a772f1e814dc6b530e3
Instruction Fuzzy Hash: E6B15BB2A14615BFEB14DFA8DC8AEAE7BA9EB48710F004114F915E7290D774ED40DB90

Function 00914ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00914AED
GetDriveTypeW.KERNEL32(?,0093CB68,?,\\.\,0093CC08), ref: 00914BCA
SetErrorMode.KERNEL32(00000000,0093CB68,?,\\.\,0093CC08), ref: 00914D36

Strings

MMC, xrefs: 00914CDE
Fixed, xrefs: 00914C09
1394, xrefs: 00914C9F
SSA, xrefs: 00914CA6
RAMDisk, xrefs: 00914BF4
CDROM, xrefs: 00914BFB
iSCSI, xrefs: 00914CC2
SSD, xrefs: 00914C4A
SAS, xrefs: 00914CC9
Network, xrefs: 00914C02
SCSI, xrefs: 00914C8A
Fibre, xrefs: 00914CAD
ATAPI, xrefs: 00914C91
Removable, xrefs: 00914C10, 00914C15
\\.\, xrefs: 00914B3F
Virtual, xrefs: 00914CE5
USB, xrefs: 00914CB4
PhysicalDrive, xrefs: 00914B76
FileBackedVirtual, xrefs: 00914CEC
RAID, xrefs: 00914CBB
SATA, xrefs: 00914CD0
Unknown, xrefs: 00914BED, 00914C83
ATA, xrefs: 00914C98

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1d20c32aab114fa617289222f239377ba4887f0abbb078c7a23d90df42e94d5f
Instruction ID: e44a8875f1790d76435c4b2e7c1fe7073ccaa849c9d01b8ae49490370c076de8
Opcode Fuzzy Hash: 1d20c32aab114fa617289222f239377ba4887f0abbb078c7a23d90df42e94d5f
Instruction Fuzzy Hash: CF61D53070510DDBDB04DF28CA91DEC77A4EB8E744B244415F846AB691DB39ED81DB82

Function 009373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00937421
SetTextColor.GDI32(?,?), ref: 00937425
GetSysColorBrush.USER32(0000000F), ref: 0093743B
GetSysColor.USER32(0000000F), ref: 00937446
CreateSolidBrush.GDI32(?), ref: 0093744B
GetSysColor.USER32(00000011), ref: 00937463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00937471
SelectObject.GDI32(?,00000000), ref: 00937482
SetBkColor.GDI32(?,00000000), ref: 0093748B
SelectObject.GDI32(?,?), ref: 00937498
InflateRect.USER32(?,000000FF,000000FF), ref: 009374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0093752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00937554
InflateRect.USER32(?,000000FD,000000FD), ref: 00937572
DrawFocusRect.USER32(?,?), ref: 0093757D
GetSysColor.USER32(00000011), ref: 0093758E
SetTextColor.GDI32(?,00000000), ref: 00937596
DrawTextW.USER32(?,009370F5,000000FF,?,00000000), ref: 009375A8
SelectObject.GDI32(?,?), ref: 009375BF
DeleteObject.GDI32(?), ref: 009375CA
SelectObject.GDI32(?,?), ref: 009375D0
DeleteObject.GDI32(?), ref: 009375D5
SetTextColor.GDI32(?,?), ref: 009375DB
SetBkColor.GDI32(?,?), ref: 009375E5

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b8e8d7c3e8626d85c76d3c9493f4cb1a07057a64aa82087a0bb0251b21d995f7
Instruction ID: e30b89be0ff08f7129d8fd2da042c385939550bbd85d7b35de08bf4ee09b3bf4
Opcode Fuzzy Hash: b8e8d7c3e8626d85c76d3c9493f4cb1a07057a64aa82087a0bb0251b21d995f7
Instruction Fuzzy Hash: E66171B2908618AFDF119FA4DC49EEEBFB9EB08320F104115F911BB2A1D7759940EF90

Function 00930FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00931128
GetDesktopWindow.USER32 ref: 0093113D
GetWindowRect.USER32(00000000), ref: 00931144
GetWindowLongW.USER32(?,000000F0), ref: 00931199
DestroyWindow.USER32(?), ref: 009311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0093120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0093121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00931232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00931245
IsWindowVisible.USER32(00000000), ref: 009312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009312D0
GetWindowRect.USER32(00000000,?), ref: 009312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0093130E
GetMonitorInfoW.USER32(00000000,?), ref: 00931328
CopyRect.USER32(?,?), ref: 0093133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009313AA

Strings

(, xrefs: 0093131B
tooltips_class32, xrefs: 009311E6
0, xrefs: 009310D3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5aea8d454089be8a725d55cd945d1357f211071abeb2d063885a4009ea62de0b
Instruction ID: 00a4642bc7e5f54610e47bc82f8e75252fc7fff7e57037cbe56931e3322e68ff
Opcode Fuzzy Hash: 5aea8d454089be8a725d55cd945d1357f211071abeb2d063885a4009ea62de0b
Instruction Fuzzy Hash: FFB18C71608341AFD704DF68C885B6BBBE5FF85354F008918F999AB2A1CB71E845CF92

Function 008B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008B8968
GetSystemMetrics.USER32(00000007), ref: 008B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008B899B
GetSystemMetrics.USER32(00000008), ref: 008B89A3
GetSystemMetrics.USER32(00000004), ref: 008B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008B8A5A
GetStockObject.GDI32(00000011), ref: 008B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008B8A81

Part of subcall function 008B912D: GetCursorPos.USER32(?), ref: 008B9141
Part of subcall function 008B912D: ScreenToClient.USER32(00000000,?), ref: 008B915E
Part of subcall function 008B912D: GetAsyncKeyState.USER32(00000001), ref: 008B9183
Part of subcall function 008B912D: GetAsyncKeyState.USER32(00000002), ref: 008B919D

SetTimer.USER32(00000000,00000000,00000028,008B90FC), ref: 008B8AA8

Strings

AutoIt v3 GUI, xrefs: 008B8A20

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4aef177c1082d3fa676b391def2a98fc830f12102164d6c2d5e8f4445a0fe5e1
Instruction ID: 0f888ec58b1b045ff7d71372c6d336a418081b593a390ff731d6770c960b82c9
Opcode Fuzzy Hash: 4aef177c1082d3fa676b391def2a98fc830f12102164d6c2d5e8f4445a0fe5e1
Instruction Fuzzy Hash: 5FB16776A1420AEFDB14DFA8DC85BEA3BB5FB48314F104229FA15E7290DB30A841DF51

Function 00900D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00901114
Part of subcall function 009010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901120
Part of subcall function 009010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 0090112F
Part of subcall function 009010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901136
Part of subcall function 009010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0090114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00900DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00900E29
GetLengthSid.ADVAPI32(?), ref: 00900E40
GetAce.ADVAPI32(?,00000000,?), ref: 00900E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00900E96
GetLengthSid.ADVAPI32(?), ref: 00900EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00900EB5
HeapAlloc.KERNEL32(00000000), ref: 00900EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00900EDD
CopySid.ADVAPI32(00000000), ref: 00900EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00900F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00900F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00900F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900F6E
HeapFree.KERNEL32(00000000), ref: 00900F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900F7E
HeapFree.KERNEL32(00000000), ref: 00900F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00900F8E
HeapFree.KERNEL32(00000000), ref: 00900F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00900FA1
HeapFree.KERNEL32(00000000), ref: 00900FA8

Part of subcall function 00901193: GetProcessHeap.KERNEL32(00000008,00900BB1,?,00000000,?,00900BB1,?), ref: 009011A1
Part of subcall function 00901193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00900BB1,?), ref: 009011A8
Part of subcall function 00901193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00900BB1,?), ref: 009011B7

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c7c863218c1a074f995901dedfc3a5dbd6c5c39da408e3b6fda8dc116e40e049
Instruction ID: 3dd376c00256fdd3b2acc2fe3af4fbce4d35e4b62b662d6601ecb9a4f86afd99
Opcode Fuzzy Hash: c7c863218c1a074f995901dedfc3a5dbd6c5c39da408e3b6fda8dc116e40e049
Instruction Fuzzy Hash: 9B7159B290820AAFDF209FA4DC48BAEBBBCBF45301F044115FA59F6191D7319A05EF60

Function 0092C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0093CC08,00000000,?,00000000,?,?), ref: 0092C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0092C5A4
_wcslen.LIBCMT ref: 0092C5F4
_wcslen.LIBCMT ref: 0092C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0092C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0092C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0092C84D
RegCloseKey.ADVAPI32(?), ref: 0092C881
RegCloseKey.ADVAPI32(00000000), ref: 0092C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0092C960

Strings

REG_BINARY, xrefs: 0092C913
REG_DWORD, xrefs: 0092C804
REG_MULTI_SZ, xrefs: 0092C6F5
REG_QWORD, xrefs: 0092C8C3
REG_SZ, xrefs: 0092C644
REG_EXPAND_SZ, xrefs: 0092C5CD

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: fad619c98ea6a0344e9b4b3e74689d11189b1410913f3c0c91d5cda8927a5f58
Instruction ID: df3fb83cb430834bed678d40121ef85580dd908cc2319260b4342a3cd2e944f8
Opcode Fuzzy Hash: fad619c98ea6a0344e9b4b3e74689d11189b1410913f3c0c91d5cda8927a5f58
Instruction Fuzzy Hash: 21125A756082119FDB14DF18D891E2AB7E5FF89714F04885CF88A9B7A2DB31ED41CB82

Function 0093091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009309C6
_wcslen.LIBCMT ref: 00930A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00930A54
_wcslen.LIBCMT ref: 00930A8A
_wcslen.LIBCMT ref: 00930B06
_wcslen.LIBCMT ref: 00930B81

Part of subcall function 008BF9F2: _wcslen.LIBCMT ref: 008BF9FD

Part of subcall function 00902BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00902BFA

Strings

CHECK, xrefs: 00930A85, 00930AA0
UNCHECK, xrefs: 00930D3E
GETITEMCOUNT, xrefs: 00930C1E
GETSELECTED, xrefs: 00930C4E
GETTOTALCOUNT, xrefs: 009309F2, 00930A17
EXISTS, xrefs: 00930B7C, 00930B97
EXPAND, xrefs: 00930BF8
GETTEXT, xrefs: 00930C97
SELECT, xrefs: 00930D11
COLLAPSE, xrefs: 00930B01, 00930B1C
ISCHECKED, xrefs: 00930CE1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: bf5403bc6e4dc617dd66289b45916612c78e1695d51adac6467e1c54ec1f1f19
Instruction ID: cdd4cfbd8470661339009c41c90b49b083df41faeece7a19314fec31a01c698c
Opcode Fuzzy Hash: bf5403bc6e4dc617dd66289b45916612c78e1695d51adac6467e1c54ec1f1f19
Instruction Fuzzy Hash: 9AE156356083018FCB14EF28C46092AB7E5FFD9718F14895DE8969B7A2DB31ED45CB82

Function 0092C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
_wcslen.LIBCMT ref: 0092C9F1
_wcslen.LIBCMT ref: 0092CA68
_wcslen.LIBCMT ref: 0092CA9E
_wcslen.LIBCMT ref: 0092CAF9
_wcslen.LIBCMT ref: 0092CB2F
_wcslen.LIBCMT ref: 0092CB7F

Strings

HKCC, xrefs: 0092CBAC
HKEY_LOCAL_MACHINE, xrefs: 0092CA62, 0092CA67
HKEY_CURRENT_USER, xrefs: 0092CBBD
HKEY_CLASSES_ROOT, xrefs: 0092CAF3, 0092CAF8
HKEY_USERS, xrefs: 0092CBDF
HKEY_CURRENT_CONFIG, xrefs: 0092CB79, 0092CB7E
HKLM, xrefs: 0092CA98, 0092CA9D
HKU, xrefs: 0092CBF0
HKCU, xrefs: 0092CBCE
HKCR, xrefs: 0092CB29, 0092CB2E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: e855e8de539ac078f75dace65136ed003477ac088b4ba5c0fb99b636a83bffe0
Instruction ID: 33f4ab134833aeb4126e849adebd86e8cafdee813f225e605db751aef8d93823
Opcode Fuzzy Hash: e855e8de539ac078f75dace65136ed003477ac088b4ba5c0fb99b636a83bffe0
Instruction Fuzzy Hash: 797115B260053A8BCB20DE7CED516BF33A9AF61754F250528F856E728CE635DD84C3A1

Function 0093833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093835A
_wcslen.LIBCMT ref: 0093836E
_wcslen.LIBCMT ref: 00938391
_wcslen.LIBCMT ref: 009383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0093361A,?), ref: 0093844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00938487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00938501
FreeLibrary.KERNEL32(?), ref: 0093850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0093851D
DestroyIcon.USER32(?), ref: 0093852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00938549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00938555

Strings

.icl, xrefs: 00938368
.exe, xrefs: 00938388
.dll, xrefs: 009383AB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 344df7fe338b6db3f151e1b8f8653754ff42703140c1eccdb4faba411472ca6c
Instruction ID: 8da9505db9c64579282d4501731cbd192979de08074d1215a6aae374a6463f48
Opcode Fuzzy Hash: 344df7fe338b6db3f151e1b8f8653754ff42703140c1eccdb4faba411472ca6c
Instruction Fuzzy Hash: 9E61CDB2904715BAEB149F64CC85BBF77ACFB08B11F104609F815E61E1DB74A984DBA0

Function 008A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 008E5279
#pragma compile, xrefs: 008A77D3
#requireadmin, xrefs: 008A77FF
Bad directive syntax error, xrefs: 008E519A
#comments-start, xrefs: 008A785F, 008A78B1
#notrayicon, xrefs: 008A77E7
#ce, xrefs: 008A78ED
#cs, xrefs: 008A7873, 008A78C5
#comments-end, xrefs: 008A78D9
Unterminated group of comments, xrefs: 008E528C
', xrefs: 008E5169
", xrefs: 008E5153
#include, xrefs: 008A7847
#OnAutoItStartRegister, xrefs: 008A7817
#include-once, xrefs: 008A782F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 15679c585377f5cd4d27c60cd62a780f681b984de9c48e3bd0cba0ccf91a1dfe
Instruction ID: 3581d10c6bcf3b941eec1746a4139494a53610c4fdc2c9be4b771771ec94685f
Opcode Fuzzy Hash: 15679c585377f5cd4d27c60cd62a780f681b984de9c48e3bd0cba0ccf91a1dfe
Instruction Fuzzy Hash: 2481F671A44605BBEB20AF65DC42FAF37B8FF56304F044024F905EA592EB70DA11E7A2

Function 00905A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00905A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00905A40
SetWindowTextW.USER32(?,?), ref: 00905A57
GetDlgItem.USER32(?,000003EA), ref: 00905A6C
SetWindowTextW.USER32(00000000,?), ref: 00905A72
GetDlgItem.USER32(?,000003E9), ref: 00905A82
SetWindowTextW.USER32(00000000,?), ref: 00905A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00905AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00905AC3
GetWindowRect.USER32(?,?), ref: 00905ACC
_wcslen.LIBCMT ref: 00905B33
SetWindowTextW.USER32(?,?), ref: 00905B6F
GetDesktopWindow.USER32 ref: 00905B75
GetWindowRect.USER32(00000000), ref: 00905B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00905BD3
GetClientRect.USER32(?,?), ref: 00905BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00905C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00905C2F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 191985f0f05c579e751c54f7cec22c32b62cd7a8d1490c8a5a9ee4a56b801ef4
Instruction ID: ca82b88b39cdc57ed4caa71a813711121edc8be37b4f45c0bbe9a310a6d047f9
Opcode Fuzzy Hash: 191985f0f05c579e751c54f7cec22c32b62cd7a8d1490c8a5a9ee4a56b801ef4
Instruction Fuzzy Hash: 7D714C71900B09AFDB20DFA8CE86A6FBBF9FF48704F114918E582A25A0D775E944DF50

Function 0091FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0091FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0091FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0091FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0091FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0091FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0091FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0091FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0091FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0091FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0091FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0091FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0091FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0091FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0091FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0091FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0091FECC
GetCursorInfo.USER32(?), ref: 0091FEDC
GetLastError.KERNEL32 ref: 0091FF1E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f64349e9b0ac33afefd85fcc0a696bf2e5dd223fc6e60a0ba63c16cbd824cedc
Instruction ID: 496ea5f0a841d9cb72bffac33712be2cae5211a822cf3e03563b9bfc17d1be32
Opcode Fuzzy Hash: f64349e9b0ac33afefd85fcc0a696bf2e5dd223fc6e60a0ba63c16cbd824cedc
Instruction Fuzzy Hash: B54142B0E083196EDB109FBA8C8985EBFE8FF04754B54452AF11DE7281DB78A941CF91

Function 008C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008C00C6

Part of subcall function 008C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0097070C,00000FA0,74D6F5ED,?,?,?,?,008E23B3,000000FF), ref: 008C011C
Part of subcall function 008C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008E23B3,000000FF), ref: 008C0127
Part of subcall function 008C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008E23B3,000000FF), ref: 008C0138
Part of subcall function 008C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008C014E
Part of subcall function 008C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008C015C
Part of subcall function 008C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008C016A
Part of subcall function 008C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008C0195
Part of subcall function 008C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008C01A0

___scrt_fastfail.LIBCMT ref: 008C00E7

Part of subcall function 008C00A3: __onexit.LIBCMT ref: 008C00A9

Strings

kernel32.dll, xrefs: 008C0133
InitializeConditionVariable, xrefs: 008C0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 008C0122
SleepConditionVariableCS, xrefs: 008C0154
WakeAllConditionVariable, xrefs: 008C0162

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: d44b689a817eb958263607dc5ac06c9f089b37bee00871697b5f27ce2ad0ed03
Instruction ID: 14da982dc87a75ac3ce5ea750152059ec8e6903e70d547cfd0de265ddc43e462
Opcode Fuzzy Hash: d44b689a817eb958263607dc5ac06c9f089b37bee00871697b5f27ce2ad0ed03
Instruction Fuzzy Hash: 6B212572A1CB00EBD7105BA4AC09F6A73B4FB84B94F04412EF815E6291DBB0D8009E91

Function 009030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090318D
_wcslen.LIBCMT ref: 009031F8

Strings

REGEXPCLASS, xrefs: 00903255, 00903266
CLASSNN, xrefs: 009031F3, 00903204
CLASS, xrefs: 00903188, 009031A5
NAME, xrefs: 00903335, 00903346
TEXT, xrefs: 0090347C
INSTANCE, xrefs: 00903453

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b48741d94e366c576890d92ffcb355c26d3efdce9fa799a66798af1562cffa71
Instruction ID: 10485af5f4885f7364a5942e46447dcfcb04b0f88cef54bac9e0f71d442b8800
Opcode Fuzzy Hash: b48741d94e366c576890d92ffcb355c26d3efdce9fa799a66798af1562cffa71
Instruction Fuzzy Hash: 16E1D432A00616AECB289F78C851BEDBBBCFF44710F54C529E456E7290DB30AE858790

Function 009144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0093CC08), ref: 00914527
_wcslen.LIBCMT ref: 0091453B
_wcslen.LIBCMT ref: 00914599
_wcslen.LIBCMT ref: 009145F4
_wcslen.LIBCMT ref: 0091463F
_wcslen.LIBCMT ref: 009146A7

Part of subcall function 008BF9F2: _wcslen.LIBCMT ref: 008BF9FD

GetDriveTypeW.KERNEL32(?,00966BF0,00000061), ref: 00914743

Strings

ramdisk, xrefs: 009146F1
removable, xrefs: 009145EA, 009145EF
network, xrefs: 0091469D, 009146A2
cdrom, xrefs: 0091458F, 00914594
all, xrefs: 00914531, 00914536
unknown, xrefs: 00914708
fixed, xrefs: 00914635, 0091463A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 41bf0226d023ab2c627be6837afc253343a520962a4e9bb93b0113f784380452
Instruction ID: 3cbc0f1b4c196c882a4904ec3dc3fcdfb525d7585a747fd0b0029df266250395
Opcode Fuzzy Hash: 41bf0226d023ab2c627be6837afc253343a520962a4e9bb93b0113f784380452
Instruction Fuzzy Hash: 71B1E2717083069FC710DF28C890AAAB7E9FFAA764F50492DF496C7291D730D984CB92

Function 008A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00971990), ref: 008E2F8D
GetMenuItemCount.USER32(00971990), ref: 008E303D
GetCursorPos.USER32(?), ref: 008E3081
SetForegroundWindow.USER32(00000000), ref: 008E308A
TrackPopupMenuEx.USER32(00971990,00000000,?,00000000,00000000,00000000), ref: 008E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008E30A9

Strings

0, xrefs: 008A327D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5c9feba1b0c8a4d3a27c70087de48dd476df256cfb7d9c4f0b85a611b0ef509a
Instruction ID: 96f8477d8c53f2ce27328181a8b2261dba6b50d36a21cc8f203acfe1b6c09ba6
Opcode Fuzzy Hash: 5c9feba1b0c8a4d3a27c70087de48dd476df256cfb7d9c4f0b85a611b0ef509a
Instruction Fuzzy Hash: B3710771644255BEFB218F69CC49FAABF68FF06324F204216F514EA1E0CBB1AD50DB50

Function 00936CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00936DEB

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00936E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00936E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00936E94
DestroyWindow.USER32(?), ref: 00936EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008A0000,00000000), ref: 00936EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00936EFD
GetDesktopWindow.USER32 ref: 00936F16
GetWindowRect.USER32(00000000), ref: 00936F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00936F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00936F4D

Part of subcall function 008B9944: GetWindowLongW.USER32(?,000000EB), ref: 008B9952

Strings

tooltips_class32, xrefs: 00936E58, 00936EDD
0, xrefs: 00936D98

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 294434ad6a92d63bd098daefd5468547977870124fc6d799380dc0c90c118d54
Instruction ID: f6cc8144ad9637c7ce7269c8a21301f744f81345e6741937fa9ad431adcf2857
Opcode Fuzzy Hash: 294434ad6a92d63bd098daefd5468547977870124fc6d799380dc0c90c118d54
Instruction Fuzzy Hash: DD717975108641AFDB21CF18DC44FAABBF9FB89304F04481DFA9997261C770A95ADF22

Function 0093911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00939147

Part of subcall function 00937674: ClientToScreen.USER32(?,?), ref: 0093769A
Part of subcall function 00937674: GetWindowRect.USER32(?,?), ref: 00937710
Part of subcall function 00937674: PtInRect.USER32(?,?,00938B89), ref: 00937720

SendMessageW.USER32(?,000000B0,?,?), ref: 009391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00939225
SendMessageW.USER32(?,000000B0,?,?), ref: 0093923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00939255
SendMessageW.USER32(?,000000B1,?,?), ref: 00939277
DragFinish.SHELL32(?), ref: 0093927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00939371

Strings

@GUI_DROPID, xrefs: 0093929E
@GUI_DRAGFILE, xrefs: 00939320
@GUI_DRAGID, xrefs: 009392E9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 6b74ccecddff645bbf9b01c5d91dbf53a1d4ae680e76962d2332b03b0c93ea82
Instruction ID: de8e7d52d05d5a3d55321b3e0270b0f1167d50c95cb6b9ed86dc2a02182d84ce
Opcode Fuzzy Hash: 6b74ccecddff645bbf9b01c5d91dbf53a1d4ae680e76962d2332b03b0c93ea82
Instruction Fuzzy Hash: E5618972108701AFD701EF64DC85EAFBBE9FF89750F00092EF595922A0DB709A49CB52

Function 0091C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0091C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0091C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0091C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0091C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0091C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0091C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0091C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0091C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0091C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0091C5F0
InternetCloseHandle.WININET(00000000), ref: 0091C5FB

Strings

, xrefs: 0091C575

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c4aef8cdb775d7bea9aaaacfd20271a87cd6e6e1c15bbed737670ba0489f16fa
Instruction ID: 0a4d7a8f4d5104867f397daaa53c810d6b20607244b6487f0866486aed2d18c9
Opcode Fuzzy Hash: c4aef8cdb775d7bea9aaaacfd20271a87cd6e6e1c15bbed737670ba0489f16fa
Instruction Fuzzy Hash: AB513AF1644609BFEB218F64C988ABB7BBDFB08754F004419F946A6250DB34E984AF61

Function 0093856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00938592
GetFileSize.KERNEL32(00000000,00000000), ref: 009385A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 009385AD
CloseHandle.KERNEL32(00000000), ref: 009385BA
GlobalLock.KERNEL32(00000000), ref: 009385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009385D7
GlobalUnlock.KERNEL32(00000000), ref: 009385E0
CloseHandle.KERNEL32(00000000), ref: 009385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009385F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0093FC38,?), ref: 00938611
GlobalFree.KERNEL32(00000000), ref: 00938621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00938641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00938671
DeleteObject.GDI32(00000000), ref: 00938699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009386AF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1be5b2c367ad4cc9eb8f94e3dd4a1dc578568e56900f9a8e0ef5775d8638901f
Instruction ID: 534f83bafaaeb773e3ced6f8d37d8b8da304c8b1f9d0529e08d2b0c19ff195f9
Opcode Fuzzy Hash: 1be5b2c367ad4cc9eb8f94e3dd4a1dc578568e56900f9a8e0ef5775d8638901f
Instruction Fuzzy Hash: EB4107B5614608AFDB119FA5CC89EAB7BBCEF89B15F108058F915E7260DB309D01EF60

Function 009114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00911502
VariantCopy.OLEAUT32(?,?), ref: 0091150B
VariantClear.OLEAUT32(?), ref: 00911517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00911657
VariantInit.OLEAUT32(?), ref: 00911708
SysFreeString.OLEAUT32(?), ref: 0091178C
VariantClear.OLEAUT32(?), ref: 009117D8
VariantClear.OLEAUT32(?), ref: 009117E7
VariantInit.OLEAUT32(00000000), ref: 00911823

Strings

Default, xrefs: 009116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00911625

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ddc8eceb7a881a2e9ac2ea0b7e5cbefa1a4f9c67ecc18160757ac565e321f007
Instruction ID: 146da11885b49d013c3903e90c21bf83469f111dbc0fbcb4dee7f3c098c7e8c3
Opcode Fuzzy Hash: ddc8eceb7a881a2e9ac2ea0b7e5cbefa1a4f9c67ecc18160757ac565e321f007
Instruction Fuzzy Hash: CAD11E71B00509EBDB109F68D884BF9B7BAFF45700F148456F646AB681DB34EC80DB62

Function 0092B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 0092C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092C9F1
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA68
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0092B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0092B80A
RegCloseKey.ADVAPI32(?), ref: 0092B87E
RegCloseKey.ADVAPI32(?), ref: 0092B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0092B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0092B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0092B922
FreeLibrary.KERNEL32(00000000), ref: 0092B983
RegCloseKey.ADVAPI32(00000000), ref: 0092B994

Strings

advapi32.dll, xrefs: 0092B8ED
RegDeleteKeyExW, xrefs: 0092B8FE

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d25c3dd8658bf4b0018413b605927aba9fd18c135da6ade45266315912fc84f5
Instruction ID: 4a402a72f3a6bc765c6d1ae32532f511b26d0305203506b237bd3d487cfad0d3
Opcode Fuzzy Hash: d25c3dd8658bf4b0018413b605927aba9fd18c135da6ade45266315912fc84f5
Instruction Fuzzy Hash: 80C1AD34208211AFD714DF18D495F2ABBE9FF85308F14845CF5AA8B6A2CB75EC45CB92

Function 0092255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009225E8
CreateCompatibleDC.GDI32(?), ref: 009225F4
SelectObject.GDI32(00000000,?), ref: 00922601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0092266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009226D0
SelectObject.GDI32(?,?), ref: 009226D8
DeleteObject.GDI32(?), ref: 009226E1
DeleteDC.GDI32(?), ref: 009226E8
ReleaseDC.USER32(00000000,?), ref: 009226F3

Strings

(, xrefs: 0092268D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b8dca88481165fc61d8a8086f27d51d1e9f67a148a26720e57e90a2a5c03cbef
Instruction ID: 519dc6ec42b64c437b727a259b4994711ebe2d59535264a7aa63333dd978311d
Opcode Fuzzy Hash: b8dca88481165fc61d8a8086f27d51d1e9f67a148a26720e57e90a2a5c03cbef
Instruction Fuzzy Hash: 9D61F4B6D04219EFCF14CFA4D884EAEBBB5FF48310F20852AE955A7250D774A941DF50

Function 008DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008DDAA1

Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD659
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD66B
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD67D
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD68F
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6A1
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6B3
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6C5
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6D7
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6E9
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD6FB
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD70D
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD71F
Part of subcall function 008DD63C: _free.LIBCMT ref: 008DD731

_free.LIBCMT ref: 008DDA96

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008DDAB8
_free.LIBCMT ref: 008DDACD
_free.LIBCMT ref: 008DDAD8
_free.LIBCMT ref: 008DDAFA
_free.LIBCMT ref: 008DDB0D
_free.LIBCMT ref: 008DDB1B
_free.LIBCMT ref: 008DDB26
_free.LIBCMT ref: 008DDB5E
_free.LIBCMT ref: 008DDB65
_free.LIBCMT ref: 008DDB82
_free.LIBCMT ref: 008DDB9A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 75cfa5b77b74e6ba9facf190ccaf933ccda6d305702d11f85df7d299abfdd41b
Instruction ID: 956b6eda7ce11b42b2a34af00b290b339d9841360672aa61d4080f0969076b89
Opcode Fuzzy Hash: 75cfa5b77b74e6ba9facf190ccaf933ccda6d305702d11f85df7d299abfdd41b
Instruction Fuzzy Hash: 38315A32604704AFEB21BA39E845F6A7BE8FF10324F15861BE449D7391DA30AC409B21

Function 0090365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0090369C
_wcslen.LIBCMT ref: 009036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00903797
GetClassNameW.USER32(?,?,00000400), ref: 0090380C
GetDlgCtrlID.USER32(?), ref: 0090385D
GetWindowRect.USER32(?,?), ref: 00903882
GetParent.USER32(?), ref: 009038A0
ScreenToClient.USER32(00000000), ref: 009038A7
GetClassNameW.USER32(?,?,00000100), ref: 00903921
GetWindowTextW.USER32(?,?,00000400), ref: 0090395D

Strings

%s%u, xrefs: 00903734

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e1dbfa09b52adfbf8f996ead9af0ac7b28d2259a173f16044eae69452674c072
Instruction ID: 5c85117ecd63a8b5793d342768cda2374e595d325369d51b0dd0daa9d7eb7dff
Opcode Fuzzy Hash: e1dbfa09b52adfbf8f996ead9af0ac7b28d2259a173f16044eae69452674c072
Instruction Fuzzy Hash: 4391AD71204606EFDB19DF24C885FAAB7ADFF44354F00C629F9AAD2191DB30EA45CB91

Function 00904954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00904994
GetWindowTextW.USER32(?,?,00000400), ref: 009049DA
_wcslen.LIBCMT ref: 009049EB
CharUpperBuffW.USER32(?,00000000), ref: 009049F7
_wcsstr.LIBVCRUNTIME ref: 00904A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00904A64
GetWindowTextW.USER32(?,?,00000400), ref: 00904A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00904AE6
GetClassNameW.USER32(?,?,00000400), ref: 00904B20
GetWindowRect.USER32(?,?), ref: 00904B8B

Strings

ThumbnailClass, xrefs: 00904A6F, 00904AF1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 7d5503b9bd89746178b795f82f143d4573d67bcaef600f000537a077faad8805
Instruction ID: d77d67a204917e73bfc325f940236f2c6d0231cffbe7f21c6cba3e1658f372e3
Opcode Fuzzy Hash: 7d5503b9bd89746178b795f82f143d4573d67bcaef600f000537a077faad8805
Instruction Fuzzy Hash: 0E919AB21082069FDB04DF14C985BAA77ECFF84754F048469FE859A0D6EB34ED45CBA2

Function 0092CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0092CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0092CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0092CD48

Part of subcall function 0092CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0092CCAA
Part of subcall function 0092CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0092CCBD
Part of subcall function 0092CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0092CCCF
Part of subcall function 0092CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0092CD05
Part of subcall function 0092CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0092CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0092CCF3

Strings

advapi32.dll, xrefs: 0092CCB8
RegDeleteKeyExW, xrefs: 0092CCC9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3737f45b6dd125fda126188a5e4f7c8c9328b6e176c2c575124c0f90a1ee4e4d
Instruction ID: af037e54b0ec7b8934dd655184e080fee3535f2af60d0832b410ab7fb6ab3f4c
Opcode Fuzzy Hash: 3737f45b6dd125fda126188a5e4f7c8c9328b6e176c2c575124c0f90a1ee4e4d
Instruction Fuzzy Hash: 1B3180B5901128BBDB208BA1EC88EFFBB7CEF46740F000565A905E3244D7749E45EBA0

Function 00913D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00913D40
_wcslen.LIBCMT ref: 00913D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00913D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00913DBE
RemoveDirectoryW.KERNEL32(?), ref: 00913DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00913E55
CloseHandle.KERNEL32(00000000), ref: 00913E60
CloseHandle.KERNEL32(00000000), ref: 00913E6B

Strings

\, xrefs: 00913D77
:, xrefs: 00913D82
\??\%s, xrefs: 00913D5B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 4bf48a7991737fda6308311429bfa95b7c39fd5bf141245e73b432cf1026ea1d
Instruction ID: 0217d208eb06474656609c12a9a436427b03519756548a55dcd3c4c8e37db77a
Opcode Fuzzy Hash: 4bf48a7991737fda6308311429bfa95b7c39fd5bf141245e73b432cf1026ea1d
Instruction Fuzzy Hash: 1F31B6B56142096BDB219BA4DC49FEF37BCEF88700F1040B5F515E61A0E774D7849B64

Function 0090E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0090E6B4

Part of subcall function 008BE551: timeGetTime.WINMM(?,?,0090E6D4), ref: 008BE555

Sleep.KERNEL32(0000000A), ref: 0090E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0090E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0090E727
SetActiveWindow.USER32 ref: 0090E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0090E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0090E773
Sleep.KERNEL32(000000FA), ref: 0090E77E
IsWindow.USER32 ref: 0090E78A
EndDialog.USER32(00000000), ref: 0090E79B

Strings

BUTTON, xrefs: 0090E719

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c6f39074438f6a18e4774491d0e3024e7ba568fc5712544757b731a6b33944ab
Instruction ID: 7882713e8296bfb4a0345480d066077a20568b27ad25d00f12778cc016592a2d
Opcode Fuzzy Hash: c6f39074438f6a18e4774491d0e3024e7ba568fc5712544757b731a6b33944ab
Instruction Fuzzy Hash: 8A2181B222C605AFEB006F64EC89B293B6DF79474DF144826F50A911E1DB72AC40BF24

Function 0090E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0090EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0090EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0090EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0090EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0090EAA7

Strings

play PlayMe, xrefs: 0090EAA2
close PlayMe, xrefs: 0090EA6E, 0090EA9B
status PlayMe mode, xrefs: 0090EA58
play PlayMe wait, xrefs: 0090EA91
open , xrefs: 0090EA0C
alias PlayMe, xrefs: 0090EA36

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6703737ce4f237440d137998538b656fab9141794eb223f2b62a2d6ef3700a8d
Instruction ID: 73a4f74c266028f08e106073169a83058a522b211ca74b0d1644cbc9ae15fcfd
Opcode Fuzzy Hash: 6703737ce4f237440d137998538b656fab9141794eb223f2b62a2d6ef3700a8d
Instruction Fuzzy Hash: 50117331A502197DE720A7A5DC4ADFF6A7CFBD6B44F040829B801E20D1EFB00945C9B1

Function 00905CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00905CE2
GetWindowRect.USER32(00000000,?), ref: 00905CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00905D59
GetDlgItem.USER32(?,00000002), ref: 00905D69
GetWindowRect.USER32(00000000,?), ref: 00905D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00905DCF
GetDlgItem.USER32(?,000003E9), ref: 00905DDD
GetWindowRect.USER32(00000000,?), ref: 00905DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00905E31
GetDlgItem.USER32(?,000003EA), ref: 00905E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00905E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00905E67

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 2dfd4c04d42fd619c960429d997cf7b32a2c7dbf017bd77ced2a4b043af9291b
Instruction ID: dc650c7010dd082dab7295fe7bf543a8516933e44b471418b2027eb25db6b88f
Opcode Fuzzy Hash: 2dfd4c04d42fd619c960429d997cf7b32a2c7dbf017bd77ced2a4b043af9291b
Instruction Fuzzy Hash: 5F51FDB1A10615AFDF18CF68DD89AAEBBB9FB48700F158129F916E62D0D7709E04CF50

Function 008B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008B8BE8,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008B8FC5

DestroyWindow.USER32(?), ref: 008B8C81
KillTimer.USER32(00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008B8BBA,00000000,?), ref: 008F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008B8BBA,00000000), ref: 008F69D4
DeleteObject.GDI32(00000000), ref: 008F69E6

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c432c2c06e08384fcbcf227aeec07097c5980f06bbbe8333f4aa9ccee3b6664c
Instruction ID: 3d41b9f383faa68399531c778640cefd5a9af06649eb62c5a52c163d86075b89
Opcode Fuzzy Hash: c432c2c06e08384fcbcf227aeec07097c5980f06bbbe8333f4aa9ccee3b6664c
Instruction Fuzzy Hash: B561EC72116A09DFCB258F28D958BBA7BF5FB00316F144618E146EB660CB71ACD1EF90

Function 008B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008B9944: GetWindowLongW.USER32(?,000000EB), ref: 008B9952

GetSysColor.USER32(0000000F), ref: 008B9862

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 06ff1cf0f13a5fb0e88ca1a9788441e0a5b1a199bf7e4b7f7fb644428f207a69
Instruction ID: bba9b7bed88d576dfc5fd39b204a008a1d83eff4a9da46e47ccd5da6cea84e49
Opcode Fuzzy Hash: 06ff1cf0f13a5fb0e88ca1a9788441e0a5b1a199bf7e4b7f7fb644428f207a69
Instruction Fuzzy Hash: 63417F71108A44AFDB215F789C84BBA3BB5FB06330F144669FAE2D72E1D7319842EB11

Function 009096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00909717
LoadStringW.USER32(00000000,?,008EF7F8,00000001), ref: 00909720

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00909742
LoadStringW.USER32(00000000,?,008EF7F8,00000001), ref: 00909745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00909866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0090984A
^ ERROR, xrefs: 009097FB
Error: , xrefs: 0090981D
Line %d:, xrefs: 009097A0
Line %d (File "%s"):, xrefs: 0090978F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8b6f6b60a372953523b49b235bbbf381e3c065c56baf95b67b0c9c7629bb8d0e
Instruction ID: 636924c67e79d62ec86b8f46e334e37ca0dfea2dcb06fbd1da258c99027db8ec
Opcode Fuzzy Hash: 8b6f6b60a372953523b49b235bbbf381e3c065c56baf95b67b0c9c7629bb8d0e
Instruction Fuzzy Hash: 6B413B72804219AADF04EBE4DD46EEE7778EF56340F504025F605B2192EB356F48CB62

Function 009006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00900804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0090082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00900837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0090083C

Strings

\IPC$, xrefs: 00900784
SOFTWARE\Classes\, xrefs: 0090070E
\CLSID, xrefs: 00900724

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 3843c549645e3b3766d37161d3124315449aa2ab26d3ce63ecca5e374f911a89
Instruction ID: 9cdbe2efbfd4485699d147f30aaf42985946ae5a599516e3e4eba163d0e4327a
Opcode Fuzzy Hash: 3843c549645e3b3766d37161d3124315449aa2ab26d3ce63ecca5e374f911a89
Instruction Fuzzy Hash: D441F272814229ABDF15EBA8DC859EEB778FF44750F454129E901A31A1EB349E04CFA1

Function 00923C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00923C5C
CoInitialize.OLE32(00000000), ref: 00923C8A
CoUninitialize.OLE32 ref: 00923C94
_wcslen.LIBCMT ref: 00923D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00923DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00923ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00923F0E
CoGetObject.OLE32(?,00000000,0093FB98,?), ref: 00923F2D
SetErrorMode.KERNEL32(00000000), ref: 00923F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00923FC4
VariantClear.OLEAUT32(?), ref: 00923FD8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: fb73a69ccf90fe4781b66c32ccc076802408908ccb54df7c283220f1f6005f44
Instruction ID: a57a3899fb026de6766cf2b1d3d45d7fb9586917c869e81a938b86f5798f79c4
Opcode Fuzzy Hash: fb73a69ccf90fe4781b66c32ccc076802408908ccb54df7c283220f1f6005f44
Instruction Fuzzy Hash: 56C143B1608315AFD700DF68D88492BBBE9FF89744F10891DF98A9B261D734EE05CB52

Function 00917A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00917AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00917B8F
SHGetDesktopFolder.SHELL32(?), ref: 00917BA3
CoCreateInstance.OLE32(0093FD08,00000000,00000001,00966E6C,?), ref: 00917BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00917C74
CoTaskMemFree.OLE32(?,?), ref: 00917CCC
SHBrowseForFolderW.SHELL32(?), ref: 00917D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00917D7A
CoTaskMemFree.OLE32(00000000), ref: 00917D81
CoTaskMemFree.OLE32(00000000), ref: 00917DD6
CoUninitialize.OLE32 ref: 00917DDC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 33af0eafe27ed04fadd060992411d7ec422c6123e335395177fb45988c5a226a
Instruction ID: 481cbb194897823dff37477cc6f6226cf499bfeb3a75a809d753c52bd3c5f435
Opcode Fuzzy Hash: 33af0eafe27ed04fadd060992411d7ec422c6123e335395177fb45988c5a226a
Instruction Fuzzy Hash: D1C10A75A04109AFDB14DFA4C884DAEBBF9FF48314B148499E916EB761D730EE81CB90

Function 0093541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00935504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00935515
CharNextW.USER32(00000158), ref: 00935544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00935585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0093559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009355AC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: b4e6dec5b9c5773f46958170756e37aad8f2773460858410fd6128256d90e583
Instruction ID: fef0510a668a1a8b7081cb511a9fc1ed0b36e104cdd8ffae3daa965ce3c35b93
Opcode Fuzzy Hash: b4e6dec5b9c5773f46958170756e37aad8f2773460858410fd6128256d90e583
Instruction Fuzzy Hash: 5E61AC71904609AFDF10CF94CC89AFE7BBAEB0D324F518545F925AB2A0D7749A80DF60

Function 008FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008FFB08
VariantInit.OLEAUT32(?), ref: 008FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008FFB3A
VariantCopy.OLEAUT32(?,?), ref: 008FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008FFBA1
VariantClear.OLEAUT32(?), ref: 008FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008FFBCC
VariantClear.OLEAUT32(?), ref: 008FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008FFBE9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6d324a4ac7b76157a2329e400cf9a6e55f204a175242dcfe3c631bd424769c85
Instruction ID: 6cfc9ea3f6cab7461aadbd4936f01d0aec7bf43975c3dd86e1ffe8fa49373920
Opcode Fuzzy Hash: 6d324a4ac7b76157a2329e400cf9a6e55f204a175242dcfe3c631bd424769c85
Instruction Fuzzy Hash: 12415F75A0421DAFCB00DF68D8589BEBBB9FF48354F008069EA55E7262CB30E945CF91

Function 00909C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00909CA1
GetAsyncKeyState.USER32(000000A0), ref: 00909D22
GetKeyState.USER32(000000A0), ref: 00909D3D
GetAsyncKeyState.USER32(000000A1), ref: 00909D57
GetKeyState.USER32(000000A1), ref: 00909D6C
GetAsyncKeyState.USER32(00000011), ref: 00909D84
GetKeyState.USER32(00000011), ref: 00909D96
GetAsyncKeyState.USER32(00000012), ref: 00909DAE
GetKeyState.USER32(00000012), ref: 00909DC0
GetAsyncKeyState.USER32(0000005B), ref: 00909DD8
GetKeyState.USER32(0000005B), ref: 00909DEA

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a896f2b3a0952c2b69b0664ca4e43397767715295a192b5c5e348cd3a5468230
Instruction ID: 3057be58393b6c9f5e5a229718ff5967bc373516af63bd8cf14721a20c753166
Opcode Fuzzy Hash: a896f2b3a0952c2b69b0664ca4e43397767715295a192b5c5e348cd3a5468230
Instruction Fuzzy Hash: DA41CB74948BCA6DFF319764C8043B5FEE8AF11344F04805AEAC6566C3DBA59DC8CB92

Function 0092055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009205BC
inet_addr.WSOCK32(?), ref: 0092061C
gethostbyname.WSOCK32(?), ref: 00920628
IcmpCreateFile.IPHLPAPI ref: 00920636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009207B9
WSACleanup.WSOCK32 ref: 009207BF

Strings

Ping, xrefs: 00920676

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f0bb7dd479c19a6262937c6ace3dbb8603cc1279baa52460f334f9fddc9839cc
Instruction ID: 7df781e09faef7c4b7bf0cb75c4fe8485c50d650cbffe7c7cbe741b512bd1720
Opcode Fuzzy Hash: f0bb7dd479c19a6262937c6ace3dbb8603cc1279baa52460f334f9fddc9839cc
Instruction Fuzzy Hash: 03918C755082119FD320CF19E889F1ABBE8EF84318F1485A9F4699B6A3C730ED45CF82

Function 00928CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00928CF3

Part of subcall function 00908E54: _wcslen.LIBCMT ref: 00908E77

_wcslen.LIBCMT ref: 00928D4E
_wcslen.LIBCMT ref: 00928D9C
_wcslen.LIBCMT ref: 00928DDC
_wcslen.LIBCMT ref: 00928E6E

Strings

cdecl, xrefs: 00928D48, 00928D4D
stdcall, xrefs: 00928DD6, 00928DDB
none, xrefs: 00928E65, 00928E6A
winapi, xrefs: 00928D96, 00928D9B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 88af5b4f62a757af5579390619e2b9bda51519e4fe495118414e39d9fd5fefc8
Instruction ID: c3395c776ed967ad32878f2b96f5f2bfa0337d35552fcdab59e1f97401769050
Opcode Fuzzy Hash: 88af5b4f62a757af5579390619e2b9bda51519e4fe495118414e39d9fd5fefc8
Instruction Fuzzy Hash: D251D132A051269BCF24EF6CD8409BFB7A9FF65324B214629E426E72C8DB34DD44C790

Function 0092372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00923774
CoUninitialize.OLE32 ref: 0092377F
CoCreateInstance.OLE32(?,00000000,00000017,0093FB78,?), ref: 009237D9
IIDFromString.OLE32(?,?), ref: 0092384C
VariantInit.OLEAUT32(?), ref: 009238E4
VariantClear.OLEAUT32(?), ref: 00923936

Strings

Failed to create object, xrefs: 009237E4, 0092389A
NULL Pointer assignment, xrefs: 0092381E
Invalid parameter, xrefs: 00923865

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 07b6eb2353005754171515f750136e91066f9dcaed249b21b2f57d6ecd680af0
Instruction ID: e72734144def12dfe8c84fdbace3dfaca2ed18940a3edde4ab15c9e6d2432c71
Opcode Fuzzy Hash: 07b6eb2353005754171515f750136e91066f9dcaed249b21b2f57d6ecd680af0
Instruction Fuzzy Hash: 3761B2B0608721AFD710DF64D848F5AB7E8FF89714F108809F5859B291D778EE48CB92

Function 00918195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00918257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00918267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00918273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00918310
SetCurrentDirectoryW.KERNEL32(?), ref: 00918324
SetCurrentDirectoryW.KERNEL32(?), ref: 00918356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0091838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00918395

Strings

*.*, xrefs: 0091839B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 82c053c22192f69f95763266198f213d575bd07d2b5609ab0c3dfee4d7ccc5d4
Instruction ID: e23240eb5763900e51ec3bfc9da947bbcfe857e2c85690dc4a1627f5b2cbb1e3
Opcode Fuzzy Hash: 82c053c22192f69f95763266198f213d575bd07d2b5609ab0c3dfee4d7ccc5d4
Instruction Fuzzy Hash: 786157B26082099FDB10EF64C8409AFB3E8FF89310F04891EF999D7251DB31E945CB92

Function 00913388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009133CF

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009133F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00913504
"%s" (%d) : ==> %s:, xrefs: 00913522
Incorrect parameters to object property !, xrefs: 009134AB
^ ERROR , xrefs: 0091349E
Error: , xrefs: 009134D1
Line %d (File "%s"):, xrefs: 00913443, 0091345C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 7d821534ed9d9d6c27e9d70489265031f6af0acd4a6a28c218324198550422ff
Instruction ID: 89337a33e42828bf1ef940d9d2b238bb2f2011ebd55a4ccf609046e6c9edd726
Opcode Fuzzy Hash: 7d821534ed9d9d6c27e9d70489265031f6af0acd4a6a28c218324198550422ff
Instruction Fuzzy Hash: 2C51B172904209AAEF15EBA4CD42EEEB778FF05344F104061F109B21A2EB352F98DB61

Function 0090B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0090B5FC
_wcslen.LIBCMT ref: 0090B608
_wcslen.LIBCMT ref: 0090B64D
_wcslen.LIBCMT ref: 0090B68C
_wcslen.LIBCMT ref: 0090B6C7

Strings

EXISTS, xrefs: 0090B686, 0090B68B
APPEND, xrefs: 0090B6C1, 0090B6C6
REMOVE, xrefs: 0090B602, 0090B607
KEYS, xrefs: 0090B647, 0090B64C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 01e2a5453f2d2b6ab669ca890c3ffe4f7da4210f5f372c07a9c2751118139e2a
Instruction ID: 91f58376eb723f5cfb3624a3edb5eadb2bdb68f1337eed4f7a117d82a12d4c74
Opcode Fuzzy Hash: 01e2a5453f2d2b6ab669ca890c3ffe4f7da4210f5f372c07a9c2751118139e2a
Instruction Fuzzy Hash: 3041C532A001279ECB205F7DC9905BE7BA9BF61B68B244629E521D72C4E736CD81C790

Function 00915393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00915416
GetLastError.KERNEL32 ref: 00915420
SetErrorMode.KERNEL32(00000000,READY), ref: 009154A7

Strings

UNKNOWN, xrefs: 00915444
READONLY, xrefs: 00915452
INVALID, xrefs: 00915459
READY, xrefs: 00915460, 00915468
NOTREADY, xrefs: 0091544B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 840c2e4d728cb20c45cc793d953fe992b5de0722ce082ddbed83267938f70d3d
Instruction ID: fee04e783a75df8a536b88d31bbde2b266bb5667bbdd6ca79f971c1ab091b0e8
Opcode Fuzzy Hash: 840c2e4d728cb20c45cc793d953fe992b5de0722ce082ddbed83267938f70d3d
Instruction Fuzzy Hash: B4319C75A04608DFDB10DF68C884AEABBB8EB85305F568065E405DB2E2DB71DDC2CB91

Function 00933C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00933C79
SetMenu.USER32(?,00000000), ref: 00933C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00933D10
IsMenu.USER32(?), ref: 00933D24
CreatePopupMenu.USER32 ref: 00933D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00933D5B
DrawMenuBar.USER32 ref: 00933D63

Strings

0, xrefs: 00933C54
F, xrefs: 00933D4E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a2b20aa05cafd0ad5ca05b3f59dd4c99c5228672098abab5ce06450cf92c8b9c
Instruction ID: 5b88604d47225fcd36edbbbed70aed9f3a1c5bbe2f957b911b211b60021c5dfc
Opcode Fuzzy Hash: a2b20aa05cafd0ad5ca05b3f59dd4c99c5228672098abab5ce06450cf92c8b9c
Instruction Fuzzy Hash: D6417AB9A15609EFDB14CF64D844EEA7BB9FF49350F144028F956A73A0D730AA10DF90

Function 00901EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00901F64
GetDlgCtrlID.USER32 ref: 00901F6F
GetParent.USER32 ref: 00901F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00901F8E
GetDlgCtrlID.USER32(?), ref: 00901F97
GetParent.USER32(?), ref: 00901FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00901FAE

Strings

ListBox, xrefs: 00901F21
ComboBox, xrefs: 00901EEC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 328d01522951c6843fbd19e8d46d26383b49fc8a57b922c7c2fe2c811d6f4f91
Instruction ID: 5234fb087132bb12b98e2e4c949e34d1dd34c4cb0c0756950f6c6db50dd1d232
Opcode Fuzzy Hash: 328d01522951c6843fbd19e8d46d26383b49fc8a57b922c7c2fe2c811d6f4f91
Instruction Fuzzy Hash: 3D21CFB0904615BFDF04AFA4CC85EEEBBB9EF06354F004115FAA1A72E1CB385908DB60

Function 00933A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00933A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00933AA0
GetWindowLongW.USER32(?,000000F0), ref: 00933AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00933AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00933B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00933BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00933BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00933BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00933BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00933C13

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ac1a8b2c35a014b52b1b50f1094f3b9f20268a732da9279f2c4f3b79d83f5298
Instruction ID: 428d3d9a0e50d6961b1c8f4dd7cdbfb71f3188e2f7038dee3bebc5c7ac5dab54
Opcode Fuzzy Hash: ac1a8b2c35a014b52b1b50f1094f3b9f20268a732da9279f2c4f3b79d83f5298
Instruction Fuzzy Hash: 70616A75A40248AFDB10DFA8CC81EEEB7B8EB49704F104199FA15E72A1C774AE81DF50

Function 0090B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0090B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B165
GetWindowThreadProcessId.USER32(00000000), ref: 0090B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0090B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0090A1E1,?,00000001), ref: 0090B21D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 754efd548a59e12ed9c092d547b6372bdf057596b9c0d66b0e5b251bbb071289
Instruction ID: ba1af3493994a57fb9f2d33eae5a78448ad9b944c51365ffe661b94caded63b4
Opcode Fuzzy Hash: 754efd548a59e12ed9c092d547b6372bdf057596b9c0d66b0e5b251bbb071289
Instruction Fuzzy Hash: D731A0B2528604BFDB109F68DC49B6D7BADBB61315F108405FA19E61D0D7B49E80AF60

Function 008D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008D2C94

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008D2CA0
_free.LIBCMT ref: 008D2CAB
_free.LIBCMT ref: 008D2CB6
_free.LIBCMT ref: 008D2CC1
_free.LIBCMT ref: 008D2CCC
_free.LIBCMT ref: 008D2CD7
_free.LIBCMT ref: 008D2CE2
_free.LIBCMT ref: 008D2CED
_free.LIBCMT ref: 008D2CFB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b54bfc3ea7412376b5329a86d928811382a360a8114d3cc7afa5c511f839b55d
Instruction ID: 5cd4a1cc6c32298d6958daed157c58f96de84db5675dc79462b074ed79887d0f
Opcode Fuzzy Hash: b54bfc3ea7412376b5329a86d928811382a360a8114d3cc7afa5c511f839b55d
Instruction Fuzzy Hash: AD119276100108BFCB02EF58D892DDD3FA5FF15350F4146A6FA489B322DA31EA50AB91

Function 00917DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00917FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00917FC1
GetFileAttributesW.KERNEL32(?), ref: 00917FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00918005
SetCurrentDirectoryW.KERNEL32(?), ref: 00918017
SetCurrentDirectoryW.KERNEL32(?), ref: 00918060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009180B0

Strings

*.*, xrefs: 00918066

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8e3adca5b880c1031a33e4a2b1c82c1aa0b5fee4c40d8f33da7d356b9d951bc4
Instruction ID: f4f9e35a27ed1fd7273270d0a668b6f38599c6b9d0bab51c522fa212e11b87c5
Opcode Fuzzy Hash: 8e3adca5b880c1031a33e4a2b1c82c1aa0b5fee4c40d8f33da7d356b9d951bc4
Instruction Fuzzy Hash: CB81807260824A9BDB20EF54C844AEAF7E9FB89310F144C5EF885D7260DB35DD85CB52

Function 008A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008A5C7A

Part of subcall function 008A5D0A: GetClientRect.USER32(?,?), ref: 008A5D30
Part of subcall function 008A5D0A: GetWindowRect.USER32(?,?), ref: 008A5D71
Part of subcall function 008A5D0A: ScreenToClient.USER32(?,?), ref: 008A5D99

GetDC.USER32 ref: 008E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008E4708
SelectObject.GDI32(00000000,00000000), ref: 008E4716
SelectObject.GDI32(00000000,00000000), ref: 008E472B
ReleaseDC.USER32(?,00000000), ref: 008E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008E47C4

Strings

U, xrefs: 008E4693

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0673b96d9e972b8938d6b18b95d7a54c3e14ff4cb4a65c3ac7ed40f94fce3a24
Instruction ID: 311f7f9d5c67dc364ffc02f45d4943e27409120dee1bed0fc302584f0db42e58
Opcode Fuzzy Hash: 0673b96d9e972b8938d6b18b95d7a54c3e14ff4cb4a65c3ac7ed40f94fce3a24
Instruction Fuzzy Hash: F1710031404249DFDF218F64CD84ABA7BB1FF4B324F145269ED59DA2AAC3308881EF90

Function 0091359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009135E4

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

LoadStringW.USER32(00972390,?,00000FFF,?), ref: 0091360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00913724
"%s" (%d) : ==> %s:, xrefs: 00913742
^ ERROR, xrefs: 009136C9
Error: , xrefs: 009136EF
Line %d (File "%s"):, xrefs: 0091366B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 62d1500c191a9c0a145feb4b881acb7c515a00adf97d0ecb9b938652aecf1418
Instruction ID: eb2f582d377a5418907570fabbe6576fa461803b2737cccb47eae3a65cc04a69
Opcode Fuzzy Hash: 62d1500c191a9c0a145feb4b881acb7c515a00adf97d0ecb9b938652aecf1418
Instruction Fuzzy Hash: F6517172904219ABEF15EBA4DC42EEEBB38FF45340F048125F105B25A1EB301B99DF61

Function 0091C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0091C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0091C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0091C2CA
GetLastError.KERNEL32 ref: 0091C322
SetEvent.KERNEL32(?), ref: 0091C336
InternetCloseHandle.WININET(00000000), ref: 0091C341

Strings

, xrefs: 0091C2BB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d3f3a7cf048d7b79f15e3a12a6b94ce793c82d1d6f72eda0d4731fd841de0dac
Instruction ID: 3ed2df986a6e183fd21a7ade36b952ded69712d854212fba3890ca7e6c843dd2
Opcode Fuzzy Hash: d3f3a7cf048d7b79f15e3a12a6b94ce793c82d1d6f72eda0d4731fd841de0dac
Instruction Fuzzy Hash: 94318CF1744608AFD7219FA58C88AEB7BFCEB49744F10891EF456E2200DB34DD859B61

Function 0090989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008E3AAF,?,?,Bad directive syntax error,0093CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009098BC
LoadStringW.USER32(00000000,?,008E3AAF,?), ref: 009098C3

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00909987

Strings

Error: , xrefs: 00909955
%s (%d) : ==> %s.: %s %s, xrefs: 009098F1
Line %d:, xrefs: 00909912
., xrefs: 0090996D
Line %d (File "%s"):, xrefs: 0090992D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b9028ecab8cd7d45fbdc1d94b94ba55998f27f0985b8f23e15b8dba2e0be9b78
Instruction ID: 641f818c03b9d13d5b4e29bb49838fc930e9ed4261e4599e0e3c50a04f7cb897
Opcode Fuzzy Hash: b9028ecab8cd7d45fbdc1d94b94ba55998f27f0985b8f23e15b8dba2e0be9b78
Instruction Fuzzy Hash: 4C219F3280421AAFDF15AF94CC06EEE7779FF19304F044429F615A21A2EB719A18DB52

Function 0090209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0090214D

Strings

smallicons, xrefs: 00902115
SHELLDLL_DefView, xrefs: 009020CC
details, xrefs: 009020FB
largeicons, xrefs: 009020E1
list, xrefs: 0090212F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: dc74dcc7728739bbbe013a8502b53ddca410c381034194ae6c6716c4269ea9a9
Instruction ID: 2b3cd582cd0b5e9d254d54cd05dcf9784fc2f4440d44bc97db22c2e1bcb5f691
Opcode Fuzzy Hash: dc74dcc7728739bbbe013a8502b53ddca410c381034194ae6c6716c4269ea9a9
Instruction Fuzzy Hash: 9E11067668C717BDFA152734DC0BDA677ACDF05328F21111AFB04F50E1EA75A8425A14

Function 008D8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5719bf0f45040d96fe0d2ceae5115eb6d2ce4b096c318df5b5ac732a1d4dba
Instruction ID: 6cdb25067f9b6e6ae582cfea465676cb85eab184fff78f7808dc396aa74cc7a1
Opcode Fuzzy Hash: 4a5719bf0f45040d96fe0d2ceae5115eb6d2ce4b096c318df5b5ac732a1d4dba
Instruction Fuzzy Hash: 3BC1DE75A04249EFDB11AFACD841BADBBB5FF09310F04429AE958E7392CB309D41DB61

Function 008DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008DCEB7
_free.LIBCMT ref: 008DCF22
_free.LIBCMT ref: 008DCF48
_free.LIBCMT ref: 008DCF71
_free.LIBCMT ref: 008DCFA9
_free.LIBCMT ref: 008DCFDA
_free.LIBCMT ref: 008DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008DD09C
_free.LIBCMT ref: 008DD0B5

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4d3f831fdbddd179110602bd61a41d899c5952866762595ead8d0a97243b3b65
Instruction ID: 6fa0c22334f09de1b94ec1941b19cf294f0ee7ed247dcf79e593e22bb2db722b
Opcode Fuzzy Hash: 4d3f831fdbddd179110602bd61a41d899c5952866762595ead8d0a97243b3b65
Instruction Fuzzy Hash: 456135B2908306AFDB21AFB89885AA97BA5FF41320F04436FF944D7382DAB19D01D751

Function 009350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00935186
ShowWindow.USER32(?,00000000), ref: 009351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009351D1

Part of subcall function 00936FBA: DeleteObject.GDI32(00000000), ref: 00936FE6

GetWindowLongW.USER32(?,000000F0), ref: 0093520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0093521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0093524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00935287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00935296

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 7606f10135cd9c1499e961050fd459d3de846b3ad00448e7a1724712ad6b456f
Instruction ID: 930c9c68d21a1818c46e584520d29d85ac6998869aec6a930049c3f9e88ef6d6
Opcode Fuzzy Hash: 7606f10135cd9c1499e961050fd459d3de846b3ad00448e7a1724712ad6b456f
Instruction Fuzzy Hash: BD51C370A58A08BFEF309F68CC46BD93BA9FB09325F154411FA25962E0C775E990DF41

Function 008B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008B8874,00000000,00000000,00000000,000000FF,00000000), ref: 008F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008B8874,00000000,00000000,00000000,000000FF,00000000), ref: 008F692D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f55f69dff7347b6f26204aedee9191d16498d4b3709d1b8c545d442df1270776
Instruction ID: 81e22eb8af1efcb12c56d932b1a46a4bb977a7a490b8c4c7a5fa37956bba9d7f
Opcode Fuzzy Hash: f55f69dff7347b6f26204aedee9191d16498d4b3709d1b8c545d442df1270776
Instruction Fuzzy Hash: D2518C70610609EFDB24CF28CC55FAA7BB9FB44764F104618FA56D72A0EB70E990EB50

Function 0091C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0091C182
GetLastError.KERNEL32 ref: 0091C195
SetEvent.KERNEL32(?), ref: 0091C1A9

Part of subcall function 0091C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0091C272
Part of subcall function 0091C253: GetLastError.KERNEL32 ref: 0091C322
Part of subcall function 0091C253: SetEvent.KERNEL32(?), ref: 0091C336
Part of subcall function 0091C253: InternetCloseHandle.WININET(00000000), ref: 0091C341

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4d1ed9a20bf6f04a33015e4cbce5b9a292a925d569019903f40bd599d40f99f1
Instruction ID: 0485357f0c59950c8b0842c9705da22e058f85a0a3916c2eb7b5cf22fe63c452
Opcode Fuzzy Hash: 4d1ed9a20bf6f04a33015e4cbce5b9a292a925d569019903f40bd599d40f99f1
Instruction Fuzzy Hash: 91318EB1384A09BFDB219FA5DC44AABBBFDFF58310B00481DF96692610D734E854AF60

Function 009025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00903A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00903A57
Part of subcall function 00903A3D: GetCurrentThreadId.KERNEL32 ref: 00903A5E
Part of subcall function 00903A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009025B3), ref: 00903A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00902601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00902605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0090260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00902623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00902627

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6b816ebeab2a4891959c07d052dedb0bae0ab93191e211cbf60a02c661f9fe1f
Instruction ID: 3a64674415eb6f9ebebb8cc7b69cab0cafdc3902f9e77f004d00e8fbccdb3f07
Opcode Fuzzy Hash: 6b816ebeab2a4891959c07d052dedb0bae0ab93191e211cbf60a02c661f9fe1f
Instruction Fuzzy Hash: FE01D4713A8610BBFB1067689C8EF593F5DDB8EB12F100002F318BE0D1C9E22444AE69

Function 00901803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00901449,?,?,00000000), ref: 0090180C
HeapAlloc.KERNEL32(00000000,?,00901449,?,?,00000000), ref: 00901813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00901449,?,?,00000000), ref: 00901828
GetCurrentProcess.KERNEL32(?,00000000,?,00901449,?,?,00000000), ref: 00901830
DuplicateHandle.KERNEL32(00000000,?,00901449,?,?,00000000), ref: 00901833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00901449,?,?,00000000), ref: 00901843
GetCurrentProcess.KERNEL32(00901449,00000000,?,00901449,?,?,00000000), ref: 0090184B
DuplicateHandle.KERNEL32(00000000,?,00901449,?,?,00000000), ref: 0090184E
CreateThread.KERNEL32(00000000,00000000,00901874,00000000,00000000,00000000), ref: 00901868

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3df87dde6f8c6dce8e06f72b4af7cfe4d34a5bed743d98efde5ad4dfbb1e938e
Instruction ID: 95c2168df02635c52a5ec963bdf05e5156591fce9c72ad6bd4b2dd6a4ea13a29
Opcode Fuzzy Hash: 3df87dde6f8c6dce8e06f72b4af7cfe4d34a5bed743d98efde5ad4dfbb1e938e
Instruction Fuzzy Hash: BC01BBB5254708BFE710ABA5DC4DF6B3BACEB89B11F008411FA05EB1A1CA70D810EF20

Function 0092A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0090D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0090D501
Part of subcall function 0090D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0090D50F
Part of subcall function 0090D4DC: CloseHandle.KERNEL32(00000000), ref: 0090D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092A16D
GetLastError.KERNEL32 ref: 0092A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0092A268
GetLastError.KERNEL32(00000000), ref: 0092A273
CloseHandle.KERNEL32(00000000), ref: 0092A2C4

Strings

SeDebugPrivilege, xrefs: 0092A18F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bc2f292dbc757d7ad98befd43d1317844895baf92309c13956c28703bf6d6f66
Instruction ID: cfd0dbcc8f1eeaf3c5f2cfbfd255bd750e388a28ccb9136f73a477094d49aff4
Opcode Fuzzy Hash: bc2f292dbc757d7ad98befd43d1317844895baf92309c13956c28703bf6d6f66
Instruction Fuzzy Hash: B861C071208652DFE720DF18D894F15BBE5AF44318F18848CE4668BBA3C776EC45CB92

Function 00933886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00933925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0093393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00933954
_wcslen.LIBCMT ref: 00933999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009339F4

Strings

SysListView32, xrefs: 009338F7

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a77b4141012b7c15ae50b689aac205bc3fd1ea225528a11d908b300d097a8f70
Instruction ID: 152071b96905b0210508ac8b4f365c4afca894eaec01971f51ee3d041a7ce62d
Opcode Fuzzy Hash: a77b4141012b7c15ae50b689aac205bc3fd1ea225528a11d908b300d097a8f70
Instruction Fuzzy Hash: 4F41A171A40219EBEB219F64CC49FEA7BA9FF48354F104526F958E7281D771DA80CF90

Function 0090BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0090BCFD
IsMenu.USER32(00000000), ref: 0090BD1D
CreatePopupMenu.USER32 ref: 0090BD53
GetMenuItemCount.USER32(01345908), ref: 0090BDA4
InsertMenuItemW.USER32(01345908,?,00000001,00000030), ref: 0090BDCC

Strings

2, xrefs: 0090BD37
0, xrefs: 0090BCA8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cced61385f67aee38e95d0c9df975553ac32e16a522bc56e8d09ac43bf04b424
Instruction ID: 7af3d0200967ad5a629b0010401900a517df05316cf174f4f4b084e45773dbdb
Opcode Fuzzy Hash: cced61385f67aee38e95d0c9df975553ac32e16a522bc56e8d09ac43bf04b424
Instruction Fuzzy Hash: 2E519CB0A04206DFDB10DFA8D888BAEFBF8EF85314F148619E551A72D1D7709940CB61

Function 0090C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0090C913

Strings

info, xrefs: 0090C8B4
question, xrefs: 0090C8CC
blank, xrefs: 0090C895
warning, xrefs: 0090C8FC
stop, xrefs: 0090C8E4

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 37fd62409c2bbba4e5aa6366a1c3a1b266c6d0157ce794fa18ef947aafb92649
Instruction ID: 28562c11ecea2c43f6e64c041c61a6732fa299f1260a341b26053e9b2859b460
Opcode Fuzzy Hash: 37fd62409c2bbba4e5aa6366a1c3a1b266c6d0157ce794fa18ef947aafb92649
Instruction Fuzzy Hash: 56115C72689307BEE7049B14DC83DAE37ACDF15318F20412FF904E62C2E7B49E406269

Function 0090ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0090ED2A
_wcslen.LIBCMT ref: 0090ED3B
_wcslen.LIBCMT ref: 0090ED79
_wcslen.LIBCMT ref: 0090EDAF
_wcslen.LIBCMT ref: 0090EDDF
_wcslen.LIBCMT ref: 0090EDEF
_wcslen.LIBCMT ref: 0090EE2B
_wcslen.LIBCMT ref: 0090EE5A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7410d8b3e635ac3ca9b17e5f90040e2c9764aad9a9c656c9e2d4dc044e500c98
Instruction ID: 3210cf231ecb3aef273b51285ddba3ee75adfa2bb33621dd0c8577dca3e9b4a1
Opcode Fuzzy Hash: 7410d8b3e635ac3ca9b17e5f90040e2c9764aad9a9c656c9e2d4dc044e500c98
Instruction Fuzzy Hash: 23418365C1021865CB11EBB8C88AEDFB7B8FF45710F504866E518E3161FB34E255C7A6

Function 008BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 008BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 008FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 008FF454

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 98e907d1a26eb5209f266f44beeaf4ab370891c70501a823585f337ab4040918
Instruction ID: 3ce1408066632a82c067e61758e9c808c2ceec917931dd2ac6f0d1da4dad232b
Opcode Fuzzy Hash: 98e907d1a26eb5209f266f44beeaf4ab370891c70501a823585f337ab4040918
Instruction Fuzzy Hash: 9141B331618684BAC7398B398C887BA7F91FF56318F14453CE787E6763D631A880DB11

Function 00932D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00932D1B
GetDC.USER32(00000000), ref: 00932D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00932D2E
ReleaseDC.USER32(00000000,00000000), ref: 00932D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00932D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00932D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00935A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00932DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00932DE1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d3c5a7a9d295abd1c8b01a5693964429b882e72e20149fc4e7cec2adaa3b280f
Instruction ID: e8014e0d47745596c92f71d681c9ad9331406f44dc0f64d79c12f4ed08a2881f
Opcode Fuzzy Hash: d3c5a7a9d295abd1c8b01a5693964429b882e72e20149fc4e7cec2adaa3b280f
Instruction Fuzzy Hash: 6D317CB2215614BFEB218F50CC8AFEB3BADEF09715F044055FE08AA2A1C6759C50CBA4

Function 00905622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00905637
_memcmp.LIBVCRUNTIME ref: 00905659
_memcmp.LIBVCRUNTIME ref: 00905671
_memcmp.LIBVCRUNTIME ref: 00905684
_memcmp.LIBVCRUNTIME ref: 0090569E
_memcmp.LIBVCRUNTIME ref: 009056B1
_memcmp.LIBVCRUNTIME ref: 009056C9
_memcmp.LIBVCRUNTIME ref: 009056E4

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 186c9695db2eb6d5d96f928974b2507a199114c038ac81a4f27d99eca1079bb1
Instruction ID: 3ded15ce165a65b2dcf2e1013b926bf659a8f0f5874dbe6ae55c5673b24f4ac2
Opcode Fuzzy Hash: 186c9695db2eb6d5d96f928974b2507a199114c038ac81a4f27d99eca1079bb1
Instruction Fuzzy Hash: 5521A761A80A09BFDB1455258E96FBB336CFF62388F450024FD05DA6C2F736ED108DA6

Function 00924FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00925007
NULL Pointer assignment, xrefs: 0092502E, 00925383

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 17e21b6d96c20e40f5bd0715c0a6cf61c9421e7ddc559e39b1971639e6565af9
Instruction ID: 6bb72e46b02e174fab1026725d02bfedb82d2644dbad5e00decbf71a567edbe4
Opcode Fuzzy Hash: 17e21b6d96c20e40f5bd0715c0a6cf61c9421e7ddc559e39b1971639e6565af9
Instruction Fuzzy Hash: 4BD1B171A0062ADFDF10CFA8D880BAEB7B9BF48344F158469E915EB285E770DD41CB90

Function 008E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008E15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008E1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008E16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008E16FB

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008E1777
__freea.LIBCMT ref: 008E17A2
__freea.LIBCMT ref: 008E17AE

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c912adf60400ee8ef606b00f4897c422c662e26f5d36949761fa7efd0ef53db1
Instruction ID: a023bd6f37299f6e0b5ca3625fd01f065e6de046b97c3de154fa3a9e7666b03d
Opcode Fuzzy Hash: c912adf60400ee8ef606b00f4897c422c662e26f5d36949761fa7efd0ef53db1
Instruction Fuzzy Hash: 3B91C371E0429AAADF208EB6CC89EEE7BB5FF4A714F184659E811E7151DB35CC40CB60

Function 00924523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00924648
VariantInit.OLEAUT32(?), ref: 00924749
VariantClear.OLEAUT32(?), ref: 00924753
VariantClear.OLEAUT32(?), ref: 009247B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0092472C
Null Object assignment in FOR..IN loop, xrefs: 009245D8, 00924706, 009247BE

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5d4435da21be7ba03c2965e96a1966440c746f0b9db13f71221d4ede54c01d6c
Instruction ID: 2d71b09e1a2397050c6f0200d459880bdd80822e9f841b9fa8afd07b7f694355
Opcode Fuzzy Hash: 5d4435da21be7ba03c2965e96a1966440c746f0b9db13f71221d4ede54c01d6c
Instruction Fuzzy Hash: B7917F71A00229ABDF20CFA4EC44FAEBBBCEF46714F108559F515AB284D7749945CFA0

Function 00911187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0091125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00911284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0091135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00911430

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e7d8bf55b9e64d97f5c30c947164c7d34bf8418bd840f0d17b1e9b74a592a4d8
Instruction ID: 7059733b48bdaed8d9bd93577a50f454dda315befd06c6c297111d493443edb6
Opcode Fuzzy Hash: e7d8bf55b9e64d97f5c30c947164c7d34bf8418bd840f0d17b1e9b74a592a4d8
Instruction Fuzzy Hash: 8191DF71A0021DAFDB00DFA8D884BFEB7B9FF45710F144429EA11EB2A1D774A981CB91

Function 008B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7bef0d1ca147783f845a64ddf54d1194ce348697fbe1ced96f5bb7085e70ddcd
Instruction ID: 0b97c8c59838dc6609814978455405c5641fd9fd44b3851cfe9b7b67aa3d4fe1
Opcode Fuzzy Hash: 7bef0d1ca147783f845a64ddf54d1194ce348697fbe1ced96f5bb7085e70ddcd
Instruction Fuzzy Hash: BF91137194421AAFCB14CFA9C884AEEBBB8FF49320F148059E655F7351D274AA42CB60

Function 00923947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0092396B
CharUpperBuffW.USER32(?,?), ref: 00923A7A
_wcslen.LIBCMT ref: 00923A8A
VariantClear.OLEAUT32(?), ref: 00923C1F

Part of subcall function 00910CDF: VariantInit.OLEAUT32(00000000), ref: 00910D1F
Part of subcall function 00910CDF: VariantCopy.OLEAUT32(?,?), ref: 00910D28
Part of subcall function 00910CDF: VariantClear.OLEAUT32(?), ref: 00910D34

Strings

Incorrect Parameter format, xrefs: 009239A6, 00923BA1
AUTOIT.ERROR, xrefs: 00923A80, 00923A85

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0ebf42249298d98d661d40ad57f57ca708ea2fe0bc7fab435ae997a296ae8c92
Instruction ID: 8db5d51c964854b5f212dca21168f8b0c52cf1496eb34dabd0c2a6d2ee31b922
Opcode Fuzzy Hash: 0ebf42249298d98d661d40ad57f57ca708ea2fe0bc7fab435ae997a296ae8c92
Instruction Fuzzy Hash: B59169746083159FC704EF28D48096AB7E9FF89314F14882DF88A97351DB35EE45CB92

Function 00924BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0090000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?,?,0090035E), ref: 0090002B
Part of subcall function 0090000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900046
Part of subcall function 0090000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900054
Part of subcall function 0090000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?), ref: 00900064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00924C51
_wcslen.LIBCMT ref: 00924D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00924DCF
CoTaskMemFree.OLE32(?), ref: 00924DDA

Strings

NULL Pointer assignment, xrefs: 00924E23, 00924E52

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8b09ebfc93b70a18646bc35b32bef1ab7fb13be798d9a08f05a2886126093464
Instruction ID: 4a552ff3b52c61e04671f4144750f4cbad31a45f60dbb2c4fd39ae1e8e543287
Opcode Fuzzy Hash: 8b09ebfc93b70a18646bc35b32bef1ab7fb13be798d9a08f05a2886126093464
Instruction Fuzzy Hash: F3912771D0022D9FEF14DFA4D891AEEBBB8FF48300F108569E915A7295DB349A44CFA1

Function 009320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00932183
GetMenuItemCount.USER32(00000000), ref: 009321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009321DD
_wcslen.LIBCMT ref: 00932213
GetMenuItemID.USER32(?,?), ref: 0093224D
GetSubMenu.USER32(?,?), ref: 0093225B

Part of subcall function 00903A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00903A57
Part of subcall function 00903A3D: GetCurrentThreadId.KERNEL32 ref: 00903A5E
Part of subcall function 00903A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009025B3), ref: 00903A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009322E3

Part of subcall function 0090E97B: Sleep.KERNEL32 ref: 0090E9F3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 382f3d6e6a92910e57227f330ae961c30e5a98b512b0298f9e2c6e4999499025
Instruction ID: 7a97a0cdad1547d72d24ba2d1db967a848fdca00dc919a81152814e6ee0d9ab5
Opcode Fuzzy Hash: 382f3d6e6a92910e57227f330ae961c30e5a98b512b0298f9e2c6e4999499025
Instruction Fuzzy Hash: 4F718D75A04205AFCB14EFA8C845AAEB7F5FF88310F148459E926EB351DB34ED418F91

Function 00937E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01345A98), ref: 00937F37
IsWindowEnabled.USER32(01345A98), ref: 00937F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0093801E
SendMessageW.USER32(01345A98,000000B0,?,?), ref: 00938051
IsDlgButtonChecked.USER32(?,?), ref: 00938089
GetWindowLongW.USER32(01345A98,000000EC), ref: 009380AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009380C3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 67df0cc7640db18352d1fda181f0bf3d6dad952267430f75306753141275907e
Instruction ID: 08deb6a4ac78d2fb1bae17ed3998f06ba57cdadcff4eacd900e81c1808d7e51b
Opcode Fuzzy Hash: 67df0cc7640db18352d1fda181f0bf3d6dad952267430f75306753141275907e
Instruction Fuzzy Hash: 6C718BB4608604AFEB359FA4CC84FEABBB9FF4A300F144459F945972A1CB31A845DF20

Function 0090AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0090AEF9
GetKeyboardState.USER32(?), ref: 0090AF0E
SetKeyboardState.USER32(?), ref: 0090AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0090AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0090AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0090AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0090B020

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 66b70c2b0d6060f177735edf987cefbcc7c4389c60329d6898677dcb46569216
Instruction ID: 9e8447affd63301ca68c93c6a823eef2ea95f38e2033d43e4ee8ae6fe45b14d1
Opcode Fuzzy Hash: 66b70c2b0d6060f177735edf987cefbcc7c4389c60329d6898677dcb46569216
Instruction Fuzzy Hash: 7551A3A16187D63DFB368334CC45BBA7EED5B06304F088589E2E9954C2D399ACC4D791

Function 0090ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0090AD19
GetKeyboardState.USER32(?), ref: 0090AD2E
SetKeyboardState.USER32(?), ref: 0090AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0090ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0090ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0090AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0090AE38

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5b958e3fed8ed948b3d007ec66c7034297a9bf5d3ab7df222d08670f95b802c9
Instruction ID: 4e063f510990057ce7a305ddfc82b1bf66880aaabc32894cf4524e19fe152175
Opcode Fuzzy Hash: 5b958e3fed8ed948b3d007ec66c7034297a9bf5d3ab7df222d08670f95b802c9
Instruction Fuzzy Hash: 5451E5A15187D53DFB378334CC55BBABEED5B46304F088489E1D5568C3D294EC88E7A2

Function 008D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008E3CD6,?,?,?,?,?,?,?,?,008D5BA3,?,?,008E3CD6,?,?), ref: 008D5470
__fassign.LIBCMT ref: 008D54EB
__fassign.LIBCMT ref: 008D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008E3CD6,00000005,00000000,00000000), ref: 008D552C
WriteFile.KERNEL32(?,008E3CD6,00000000,008D5BA3,00000000,?,?,?,?,?,?,?,?,?,008D5BA3,?), ref: 008D554B
WriteFile.KERNEL32(?,?,00000001,008D5BA3,00000000,?,?,?,?,?,?,?,?,?,008D5BA3,?), ref: 008D5584

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8a4d0b8e6d48dc1e60498e4d1f70b679df5823e0bbd1daf822f134f749ffd0a1
Instruction ID: b9bfa717adce3c295e551f0d8cbb3416b13c5510b32de90aac5720b50ae5063b
Opcode Fuzzy Hash: 8a4d0b8e6d48dc1e60498e4d1f70b679df5823e0bbd1daf822f134f749ffd0a1
Instruction Fuzzy Hash: CD51C0B1A00649AFDB11DFA8E851AEEBBF9FF09300F14421BF555E7391D6309A81CB61

Function 008C2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008C2D53
_ValidateLocalCookies.LIBCMT ref: 008C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008C2E0C
_ValidateLocalCookies.LIBCMT ref: 008C2E61

Strings

csm, xrefs: 008C2DF6

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3185bc61a9ef155b7f9a593442c09ebcde96c1a145a1db18b7802f026dc7097c
Instruction ID: 16ac0fcfadccf3bd39fab9ff9e8c8e638127fcbe3ffab34f00e41e9a5a8a58a4
Opcode Fuzzy Hash: 3185bc61a9ef155b7f9a593442c09ebcde96c1a145a1db18b7802f026dc7097c
Instruction Fuzzy Hash: B4417134A0020DABCF10DF68C845F9EBBB5FF55328F148169E915EB292D731DA15CB91

Function 009210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0092304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0092307A
Part of subcall function 0092304E: _wcslen.LIBCMT ref: 0092309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00921112
WSAGetLastError.WSOCK32 ref: 00921121
WSAGetLastError.WSOCK32 ref: 009211C9
closesocket.WSOCK32(00000000), ref: 009211F9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5749d12a9ca97160111a0212eda0ea5ad28e0d71ab25cebfb42559270ee1889e
Instruction ID: 58265cc49db3e7b05b84c77d5e0ac4fe0d4498bfd4bde41d8a7f6816266d38c4
Opcode Fuzzy Hash: 5749d12a9ca97160111a0212eda0ea5ad28e0d71ab25cebfb42559270ee1889e
Instruction Fuzzy Hash: 4C413531604614AFEB109F24D884BAAB7E9FF41324F148019FD06AB296C774EE51CFE1

Function 0090CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0090CF22,?), ref: 0090DDFD

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0090CF22,?), ref: 0090DE16

lstrcmpiW.KERNEL32(?,?), ref: 0090CF45
MoveFileW.KERNEL32(?,?), ref: 0090CF7F
_wcslen.LIBCMT ref: 0090D005
_wcslen.LIBCMT ref: 0090D01B
SHFileOperationW.SHELL32(?), ref: 0090D061

Strings

\*.*, xrefs: 0090CFF3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c9f639ae3a4e004ce13d8ace4e81713c5b57f6a627f09bd42a120da5bff8ade9
Instruction ID: 9112c55064bdb5831fd2a176ae091b446794a2c397ccd1d79dbf96893d9fdfb8
Opcode Fuzzy Hash: c9f639ae3a4e004ce13d8ace4e81713c5b57f6a627f09bd42a120da5bff8ade9
Instruction Fuzzy Hash: 6F4158B19052199FDF12EBA4D981FDE77BDEF48380F0000E6E505E7181EA34A688CB51

Function 00932DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00932E1C
GetWindowLongW.USER32(?,000000F0), ref: 00932E4F
GetWindowLongW.USER32(?,000000F0), ref: 00932E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00932EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00932EE0
GetWindowLongW.USER32(?,000000F0), ref: 00932EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00932F0B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e3183c47b1fda7f3f710f927ce80477e601c9a9f37a9f39321a773dc89982025
Instruction ID: b34bb9fd98b045c93153439122c0c331f1a7a4a5afcf05abd1f32ff512d9b292
Opcode Fuzzy Hash: e3183c47b1fda7f3f710f927ce80477e601c9a9f37a9f39321a773dc89982025
Instruction Fuzzy Hash: B3310435618251AFDB21CF58EC86F6537E9FB8AB10F150164FA059F2B1CB71A881EF41

Function 00907726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00907769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0090778F
SysAllocString.OLEAUT32(00000000), ref: 00907792
SysAllocString.OLEAUT32(?), ref: 009077B0
SysFreeString.OLEAUT32(?), ref: 009077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009077DE
SysAllocString.OLEAUT32(?), ref: 009077EC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c6a1d8f9e28b9030180aa6c3aed10061c241f04a3018b19b7326391e0a955448
Instruction ID: e655ef5a0b02080980439a9249e04a1a24cd8e727492d433003a2d9d03437bb2
Opcode Fuzzy Hash: c6a1d8f9e28b9030180aa6c3aed10061c241f04a3018b19b7326391e0a955448
Instruction Fuzzy Hash: 91219576A08219AFDB10DFE8CC88CBB77ACEF097A47048425FA15DB1A1D674ED419B60

Function 009077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00907842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00907868
SysAllocString.OLEAUT32(00000000), ref: 0090786B
SysAllocString.OLEAUT32 ref: 0090788C
SysFreeString.OLEAUT32 ref: 00907895
StringFromGUID2.OLE32(?,?,00000028), ref: 009078AF
SysAllocString.OLEAUT32(?), ref: 009078BD

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 36ddc91a9b9f83da0590939d5e9eace3866218319da5bb89ea613886033a43db
Instruction ID: c99884cc0357ffb41dea9258ab48561c98ab7e43db112f3d6926297ae3410023
Opcode Fuzzy Hash: 36ddc91a9b9f83da0590939d5e9eace3866218319da5bb89ea613886033a43db
Instruction Fuzzy Hash: 5F216072A08204AFDB109FE8DC8CDBAB7ECEB097607108125FA15DB2A1D674EC41DB64

Function 009104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0091052E

Strings

nul, xrefs: 00910567

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: de4f728ee910785ad08e49a27e75c7524f07f345aaff24610e7e2e72ef78067e
Instruction ID: 2cf62fc4dc2ad37bdd084c3dbb104bcb81f7dece043f5daea9516f1ec1238aef
Opcode Fuzzy Hash: de4f728ee910785ad08e49a27e75c7524f07f345aaff24610e7e2e72ef78067e
Instruction Fuzzy Hash: D32162756003099BDB209F6ADC44ADA77A9BF84764F204A19F8A1E71E0D7B1D9D0DF20

Function 009105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00910601

Strings

nul, xrefs: 00910639

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a8294001731fb9783765db8c109af9112ab5079907ba86aa7747841013447272
Instruction ID: 12d0ab1cec275e94c5d68ab7303fee74ab7fbf312d32ae26b99d35a696d8100e
Opcode Fuzzy Hash: a8294001731fb9783765db8c109af9112ab5079907ba86aa7747841013447272
Instruction Fuzzy Hash: 962183756003099BDB209F698C04ADA77E8AFD5760F200B19F8A1E72D0D7F198E0DB10

Function 009340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008A604C
Part of subcall function 008A600E: GetStockObject.GDI32(00000011), ref: 008A6060
Part of subcall function 008A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00934112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0093411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0093412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00934139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00934145

Strings

Msctls_Progress32, xrefs: 009340E3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 59d3e1d2d5472a6c862c4c04f85069761e069af727e3842e903ca791c9656fe0
Instruction ID: 0a80679e3b4fd37297b8e427061e15ced885f712b7e72a3be0a7fe2cb57f23ad
Opcode Fuzzy Hash: 59d3e1d2d5472a6c862c4c04f85069761e069af727e3842e903ca791c9656fe0
Instruction Fuzzy Hash: B611B2B2150219BFEF118FA4CC86EE77F5DEF18798F014111FA18A2050CA769C61DBA4

Function 008DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008DD7A3: _free.LIBCMT ref: 008DD7CC

_free.LIBCMT ref: 008DD82D

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008DD838
_free.LIBCMT ref: 008DD843
_free.LIBCMT ref: 008DD897
_free.LIBCMT ref: 008DD8A2
_free.LIBCMT ref: 008DD8AD
_free.LIBCMT ref: 008DD8B8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e6cdbbff83eb11a25ee886b417784282e7000e848ce1d81f7d3e9c1ea1d72b58
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: E2115E71540B04BAD621BFB9CC47FCB7BDCFF10700F400A26B29DE6292DA65B5059662

Function 0090DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0090DA74
LoadStringW.USER32(00000000), ref: 0090DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0090DA91
LoadStringW.USER32(00000000), ref: 0090DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0090DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0090DAB9

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 512bc596009a64a07dac8900482f791e4ba7b588290e03679ef717d2649ae760
Instruction ID: c5b4ec7118f656f08c0adb792391bba7f86767128eaa0d8aba45273c4bceef42
Opcode Fuzzy Hash: 512bc596009a64a07dac8900482f791e4ba7b588290e03679ef717d2649ae760
Instruction Fuzzy Hash: 450186F25042087FE7109BE09D89EEB336CE708305F400895B746F2081EA749E845F74

Function 0091096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0133DFE8,0133DFE8), ref: 0091097B
EnterCriticalSection.KERNEL32(0133DFC8,00000000), ref: 0091098D
TerminateThread.KERNEL32(?,000001F6), ref: 0091099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009109A9
CloseHandle.KERNEL32(?), ref: 009109B8
InterlockedExchange.KERNEL32(0133DFE8,000001F6), ref: 009109C8
LeaveCriticalSection.KERNEL32(0133DFC8), ref: 009109CF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 94e93e376c0f4693f16c99a78cba30d7c07d69b6f75822a68c7a4c8948ab2181
Instruction ID: 9147b1c1a85f465a84c9835cb082bfa767090baffdeeecf4bdc0a21c38386735
Opcode Fuzzy Hash: 94e93e376c0f4693f16c99a78cba30d7c07d69b6f75822a68c7a4c8948ab2181
Instruction Fuzzy Hash: D2F03171556902BBD7415F94EE8CBD67B39FF45702F401015F101608A1C7B5D4B5DF90

Function 008A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 008A5D30
GetWindowRect.USER32(?,?), ref: 008A5D71
ScreenToClient.USER32(?,?), ref: 008A5D99
GetClientRect.USER32(?,?), ref: 008A5ED7
GetWindowRect.USER32(?,?), ref: 008A5EF8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4079413759e47e5442ad35e57606513046ce0c9eae95cca072f2da6a1bb2cba1
Instruction ID: be24bac2a53c9a92c7f6bda2cb2d8ccf9133e6f731a3266eb4c7e3f2da11ae60
Opcode Fuzzy Hash: 4079413759e47e5442ad35e57606513046ce0c9eae95cca072f2da6a1bb2cba1
Instruction Fuzzy Hash: 23B18A74A00B8ADBDB10CFA9C4807EEB7F1FF59310F14941AE8A9D7650DB30AA90DB50

Function 008D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D00D6
__allrem.LIBCMT ref: 008D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D010B
__allrem.LIBCMT ref: 008D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D0140

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: ef7e757fa4810399844e21c7b5c4d3d93d70fddccc6b19c433a7dd6890ebf859
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 9081D372A00B06ABEB249A6DCC41B6A73F9FF51364F24422FF551D7382EB70D9008B91

Function 00921D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00923149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0092101C,00000000,?,?,00000000), ref: 00923195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00921DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00921DE1
WSAGetLastError.WSOCK32 ref: 00921DF2
inet_ntoa.WSOCK32(?), ref: 00921E8C
htons.WSOCK32(?,?,?,?,?), ref: 00921EDB
_strlen.LIBCMT ref: 00921F35

Part of subcall function 009039E8: _strlen.LIBCMT ref: 009039F2

Part of subcall function 008A6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,008BCF58,?,?,?), ref: 008A6DBA
Part of subcall function 008A6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,008BCF58,?,?,?), ref: 008A6DED

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 9c44214f675e059bcd9c356fe4cf8d04a32ff1f0ba39cc6fc66959fa7685e1a4
Instruction ID: 8ecf42f407db88bfef5b99debec95a714eb89a892d84b5c03f74e8eaf20f04a6
Opcode Fuzzy Hash: 9c44214f675e059bcd9c356fe4cf8d04a32ff1f0ba39cc6fc66959fa7685e1a4
Instruction Fuzzy Hash: B7A1DF30504310AFD324DB24D881F6A77A9FF95318F58895CF4669B2E2DB31ED42CB92

Function 008D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008C82D9,008C82D9,?,?,?,008D644F,00000001,00000001,8BE85006), ref: 008D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008D644F,00000001,00000001,8BE85006,?,?,?), ref: 008D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008D63D8
__freea.LIBCMT ref: 008D63E5

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

__freea.LIBCMT ref: 008D63EE
__freea.LIBCMT ref: 008D6413

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9618f7dd8ebeeda02b0194736ccaf57453a38a056a3672d5d17e2a622b6151f8
Instruction ID: 14579566d660f441a3132bc2caec52cffabba22c130acd126506d6cb2f55c07d
Opcode Fuzzy Hash: 9618f7dd8ebeeda02b0194736ccaf57453a38a056a3672d5d17e2a622b6151f8
Instruction Fuzzy Hash: E851F172A0021AABDB298F64DC81EAF77AAFF44710F15432AFC05D6341EB34DC60D661

Function 0092BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 0092C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092C9F1
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA68
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0092BD25
RegCloseKey.ADVAPI32(00000000), ref: 0092BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0092BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0092BDF3
RegCloseKey.ADVAPI32(?), ref: 0092BDFF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 86f22881b3c7528ca632aefc91b2991fc7ec0273c6837d310f7dc957d3598c66
Instruction ID: 3fabb8e4ee5ef131a61c427be6ba3d488e5d5174bdfa6cf4e920a6f0af2f1280
Opcode Fuzzy Hash: 86f22881b3c7528ca632aefc91b2991fc7ec0273c6837d310f7dc957d3598c66
Instruction Fuzzy Hash: 2C81C370208241EFD714DF24D891E6ABBE9FF85308F14895CF5958B2A2DB31ED45CB92

Function 008FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008FF7B9
SysAllocString.OLEAUT32(00000001), ref: 008FF860
VariantCopy.OLEAUT32(008FFA64,00000000), ref: 008FF889
VariantClear.OLEAUT32(008FFA64), ref: 008FF8AD
VariantCopy.OLEAUT32(008FFA64,00000000), ref: 008FF8B1
VariantClear.OLEAUT32(?), ref: 008FF8BB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3d351a362c487d9fa19d4ffa38fee86ff48f6ae9c9df1af06b7a3d0b7ef4677a
Instruction ID: 7b2a752471a63c5e96030709caf84490e2a4c3a60f103a05ae79a334b9f17bfe
Opcode Fuzzy Hash: 3d351a362c487d9fa19d4ffa38fee86ff48f6ae9c9df1af06b7a3d0b7ef4677a
Instruction Fuzzy Hash: BE51D531610318BADF20AB79D895B39B7A4FF45314B248466EB05DF293DBB08C40DB57

Function 0091910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009194E5
_wcslen.LIBCMT ref: 00919506
_wcslen.LIBCMT ref: 0091952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00919585

Strings

X, xrefs: 00919412

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 528fb1dab7f97a6b1bec99de569c313106a579b75ed0e3b5dd272f08c5b79fa5
Instruction ID: 4fd3a883c718e3b5f5efbaca4be2797a40994b09b0bf7981bd946d7cb067ab30
Opcode Fuzzy Hash: 528fb1dab7f97a6b1bec99de569c313106a579b75ed0e3b5dd272f08c5b79fa5
Instruction Fuzzy Hash: 31E1B4316083118FD724DF28C891AAAB7E5FF85314F04896DF8999B3A2DB31DD45CB92

Function 008B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

BeginPaint.USER32(?,?,?), ref: 008B9241
GetWindowRect.USER32(?,?), ref: 008B92A5
ScreenToClient.USER32(?,?), ref: 008B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008B92D3
EndPaint.USER32(?,?,?,?,?), ref: 008B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008F71EA

Part of subcall function 008B9339: BeginPath.GDI32(00000000), ref: 008B9357

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 93a14f5843d7a17c3c1829d1c9190f1b4fd7a619a159a1d4d1de82f59347cfbe
Instruction ID: fc23920d0188a577f6c181f49d0769c4430fe3f7d0e78b4aede35cf3392e5520
Opcode Fuzzy Hash: 93a14f5843d7a17c3c1829d1c9190f1b4fd7a619a159a1d4d1de82f59347cfbe
Instruction Fuzzy Hash: 0641A171108205AFD711DF28DC85FB67BE8FB49324F140229FAA8D72A1C7319885EB62

Function 009107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0091080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00910847
EnterCriticalSection.KERNEL32(?), ref: 00910863
LeaveCriticalSection.KERNEL32(?), ref: 009108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00910921

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8cde90fd22178f4875c44090bf83e06fd36de2a330ec8e17532f67ff03b8d062
Instruction ID: 22f3cdc35975a0d9c9170f5e1afa4e2047e247f0c45923fa9f6d3409f85b4f45
Opcode Fuzzy Hash: 8cde90fd22178f4875c44090bf83e06fd36de2a330ec8e17532f67ff03b8d062
Instruction Fuzzy Hash: 0F415B71A04209EBDF14AF64DC85AAA7779FF44310F1440A9E904EE297D771DEA0DBA0

Function 009381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008FF3AB,00000000,?,?,00000000,?,008F682C,00000004,00000000,00000000), ref: 0093824C
EnableWindow.USER32(?,00000000), ref: 00938272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009382D1
ShowWindow.USER32(?,00000004), ref: 009382E5
EnableWindow.USER32(?,00000001), ref: 0093830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0093832F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: fbffd21d142ead15e4b01476fe9a1a15df7e0a730b26a9abf8c91f965d04dd74
Instruction ID: 6fd1733e5dc063b9052f41e01a17192b7bca2a08036174d1366cf32badf60d77
Opcode Fuzzy Hash: fbffd21d142ead15e4b01476fe9a1a15df7e0a730b26a9abf8c91f965d04dd74
Instruction Fuzzy Hash: C041D331605740AFDB25CF18DC99BE67BE4FB0A754F1801A8FA184B2A2CB31A842DF40

Function 00904C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00904C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00904CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00904CEA
_wcslen.LIBCMT ref: 00904D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00904D10
_wcsstr.LIBVCRUNTIME ref: 00904D1A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5ca3bef82307c18d27029f535a8aefb89ad81c2508e35443e868c258ff0be38d
Instruction ID: 811c6e4aa299783eff0896eba5c88739f6ea4bbf3a84d99d0acdb0d2538a03b9
Opcode Fuzzy Hash: 5ca3bef82307c18d27029f535a8aefb89ad81c2508e35443e868c258ff0be38d
Instruction Fuzzy Hash: D32129B22042117FEB155B399C0AE7B7BACEF45750F10402DFA05DA1D2DA71DC0097A1

Function 0091581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 008A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008A3A97,?,?,008A2E7F,?,?,?,00000000), ref: 008A3AC2

_wcslen.LIBCMT ref: 0091587B
CoInitialize.OLE32(00000000), ref: 00915995
CoCreateInstance.OLE32(0093FCF8,00000000,00000001,0093FB68,?), ref: 009159AE
CoUninitialize.OLE32 ref: 009159CC

Strings

.lnk, xrefs: 00915876, 009158C1, 00915985

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: d71bb35a748808087772e34501fdd2e4583bb815c49ae21d0b015cfbf7c51bd9
Instruction ID: 4b1c7c87e9f9f214b7baa4158c5643c133d28abd208335d922b795e05293d2ef
Opcode Fuzzy Hash: d71bb35a748808087772e34501fdd2e4583bb815c49ae21d0b015cfbf7c51bd9
Instruction Fuzzy Hash: F2D16471608605DFC714DF18C480A6ABBE5FF89714F16885DF88A9B361DB31EC85CB92

Function 0090175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00900FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00900FCA
Part of subcall function 00900FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00900FD6
Part of subcall function 00900FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00900FE5
Part of subcall function 00900FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00900FEC
Part of subcall function 00900FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00901002

GetLengthSid.ADVAPI32(?,00000000,00901335), ref: 009017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009017BA
HeapAlloc.KERNEL32(00000000), ref: 009017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009017DA
GetProcessHeap.KERNEL32(00000000,00000000,00901335), ref: 009017EE
HeapFree.KERNEL32(00000000), ref: 009017F5

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8c4d4dd50dbdaeee60e0d7d5a17f539c03e28f6dcc0dc38ac892fa7246c5e120
Instruction ID: 5f0ad9d64192912d14d1a78049685444457ffa69a37434b136ebb23ca6dfe3a6
Opcode Fuzzy Hash: 8c4d4dd50dbdaeee60e0d7d5a17f539c03e28f6dcc0dc38ac892fa7246c5e120
Instruction Fuzzy Hash: 1411BB72618605FFDB149FA4CC49BAF7BEDEB46355F104018F481A7290C736A940EF60

Function 009014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00901506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00901515
CloseHandle.KERNEL32(00000004), ref: 00901520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0090154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00901563

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ede2967bc3aee6f6579259262eb4090a06de5d112c9e8615145f39a64ecd87d1
Instruction ID: 3e3950938c569fa3931691b6e672503f3b9f3aea4bb572b5eb1d92cd020f4c0e
Opcode Fuzzy Hash: ede2967bc3aee6f6579259262eb4090a06de5d112c9e8615145f39a64ecd87d1
Instruction Fuzzy Hash: 401126B2604249EFDF118FA8DD49BDE7BADEF48748F044025FA05A20A0C3758E64EB60

Function 008C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008C3379,008C2FE5), ref: 008C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008C33B7
SetLastError.KERNEL32(00000000,?,008C3379,008C2FE5), ref: 008C3409

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 01ef60f5077909088d8263a911faecceed53d5b1251fe439a2cefd90c7b6dd22
Instruction ID: ec98d23145acf024dcbf4d652b570b714672c0100b4a607b24eefae11c8c56c6
Opcode Fuzzy Hash: 01ef60f5077909088d8263a911faecceed53d5b1251fe439a2cefd90c7b6dd22
Instruction Fuzzy Hash: EC01DE7221C311BAAA2427787C95F662AB4FB25379720822EF410C12F0EE71CD037688

Function 008D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008D5686,008E3CD6,?,00000000,?,008D5B6A,?,?,?,?,?,008CE6D1,?,00968A48), ref: 008D2D78
_free.LIBCMT ref: 008D2DAB
_free.LIBCMT ref: 008D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008CE6D1,?,00968A48,00000010,008A4F4A,?,?,00000000,008E3CD6), ref: 008D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008CE6D1,?,00968A48,00000010,008A4F4A,?,?,00000000,008E3CD6), ref: 008D2DEC
_abort.LIBCMT ref: 008D2DF2

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0046606d3867eb1bd1bdd4fe631c36ed72bb8a7151b64ea26909c3fd6e25152d
Instruction ID: ee4e9c7714fa456b3c399a60ebdf2661d027135d9cf88ce07fc5c71e7df34a21
Opcode Fuzzy Hash: 0046606d3867eb1bd1bdd4fe631c36ed72bb8a7151b64ea26909c3fd6e25152d
Instruction Fuzzy Hash: 24F0A971508A046BC212373D6C06E2A2756FBE27A5F25471BF864D23D1EF6488016262

Function 00938A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008B9693
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96A2
Part of subcall function 008B9639: BeginPath.GDI32(?), ref: 008B96B9
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00938A4E
LineTo.GDI32(?,00000003,00000000), ref: 00938A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00938A70
LineTo.GDI32(?,00000000,00000003), ref: 00938A80
EndPath.GDI32(?), ref: 00938A90
StrokePath.GDI32(?), ref: 00938AA0

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: f07d18d362f9ff86a308a5187f66bcf1a156aeb41aa58cfa82d3b4add4193b3d
Instruction ID: 16586adb1e84b40fe933af3cb8e8e4e4b06f4550021e6b8db98e486d47d56747
Opcode Fuzzy Hash: f07d18d362f9ff86a308a5187f66bcf1a156aeb41aa58cfa82d3b4add4193b3d
Instruction Fuzzy Hash: 96111B7601454CFFDF129F94DC88EAA7F6DEB08390F008012FA19AA1A1C7719D55EFA0

Function 009051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00905218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00905229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00905230
ReleaseDC.USER32(00000000,00000000), ref: 00905238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0090524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00905261

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 167cc44d116802eb4485962bc01cac0af4c062c7f27d7a48ee864a8668f3e5d9
Instruction ID: d2545a954d8b02b6094a04b6056d49ebc4768bf4c1d21e3f150a2b9239a4ec61
Opcode Fuzzy Hash: 167cc44d116802eb4485962bc01cac0af4c062c7f27d7a48ee864a8668f3e5d9
Instruction Fuzzy Hash: A8014FB5A04B19BBEB109BA99C49A5EBFB8EF48751F044065FA04F7291DA709C00DFA0

Function 008A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 008A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 008A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 008A1C22

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: eb24e6d3ff6dbcc9dac1410533ba595d62a8b5767a51c6233968cf1710c0ddb0
Instruction ID: 5ed4f2b734faaf2c920252cb2c010ce5ca459c47fe71eeed20cce87d707465be
Opcode Fuzzy Hash: eb24e6d3ff6dbcc9dac1410533ba595d62a8b5767a51c6233968cf1710c0ddb0
Instruction Fuzzy Hash: 660167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CFE5

Function 0090EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0090EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0090EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0090EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0090EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0090EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0090EB75

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d2d009bddcc6fa5afea3f255b6f49026e764261bec1b711acb0c22c2a9f9fd71
Instruction ID: 3fea2bcf98804e006c48cc18b4bbb8cb624ac77e2602b644c8ae76f13124b8bd
Opcode Fuzzy Hash: d2d009bddcc6fa5afea3f255b6f49026e764261bec1b711acb0c22c2a9f9fd71
Instruction Fuzzy Hash: 03F03AB2254959BBE7215BA29C0EEEF3A7CEFCAB15F004158F601E1091D7A05A01EBB5

Function 008F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008F7469
GetWindowDC.USER32(?), ref: 008F7475
GetPixel.GDI32(00000000,?,?), ref: 008F7484
ReleaseDC.USER32(?,00000000), ref: 008F7496
GetSysColor.USER32(00000005), ref: 008F74B0

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9d05f8e344646797a0da5802384d00a846a238a6cab6adc734459fbedd8ba787
Instruction ID: 05e6577d1c9c5c5daaec36daa2e9af429b75de8f145fd3de95bb41e6682b566d
Opcode Fuzzy Hash: 9d05f8e344646797a0da5802384d00a846a238a6cab6adc734459fbedd8ba787
Instruction Fuzzy Hash: 08018B72418A09FFEB105FA4DC09BAA7BB5FB04315F100060FA15A21A0CB311E51BF10

Function 00901874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0090187F
UnloadUserProfile.USERENV(?,?), ref: 0090188B
CloseHandle.KERNEL32(?), ref: 00901894
CloseHandle.KERNEL32(?), ref: 0090189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009018A5
HeapFree.KERNEL32(00000000), ref: 009018AC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7fdadb07fe35a711cc0acc92d4fb4e535cc39ff4711932a9dfd5e7fc3efd19a1
Instruction ID: 4c90c6e28d5282f7e7a2b42856ca850415b3a6c538a6ae5b258bf4b38ac6df8e
Opcode Fuzzy Hash: 7fdadb07fe35a711cc0acc92d4fb4e535cc39ff4711932a9dfd5e7fc3efd19a1
Instruction Fuzzy Hash: 41E0C2B6018901BBDA015BE1ED0C90ABB29FB49B22B108220F225A1070CB329430FF50

Function 0090C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0090C6EE
_wcslen.LIBCMT ref: 0090C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0090C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0090C7CA

Strings

0, xrefs: 0090C6AF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 830960cbb148e951482e147171467c82891d17f4112689860000ab981611887e
Instruction ID: 4d342003d2f7a1be2124c3705cad8c28f86f589ad9c2fcb1fb4f01d8c875e2cc
Opcode Fuzzy Hash: 830960cbb148e951482e147171467c82891d17f4112689860000ab981611887e
Instruction Fuzzy Hash: 5151CEB26183019FD7249F28C885B6B77E8EF89310F040B2DF995E32E1DB74D9449B52

Function 0092AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0092AEA3

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

GetProcessId.KERNEL32(00000000), ref: 0092AF38
CloseHandle.KERNEL32(00000000), ref: 0092AF67

Strings

@, xrefs: 0092AE72
<, xrefs: 0092AE6B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: fab441077402b3407ac2514f69bf5c384b59c672c59caf6fd566733ab8acf107
Instruction ID: 118e2a946243ac8a824a530de45e6de88a873aa4f3101c2b8cdd895e22179ca2
Opcode Fuzzy Hash: fab441077402b3407ac2514f69bf5c384b59c672c59caf6fd566733ab8acf107
Instruction Fuzzy Hash: 46719B71A00625DFDB14EF58D484A9EBBF4FF09300F048499E816AB7A2CB74ED45CB92

Function 0090719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00907206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0090723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0090724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009072CF

Strings

DllGetClassObject, xrefs: 00907242

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5281702a46e59a73c2745009420f5576f8e905fa5e2273b69f0b8a61f2be0fb9
Instruction ID: 33bdcd2cf5a8beda71de7d0ddd723e91eca7cfbbc63198ea2523feb09fddf82e
Opcode Fuzzy Hash: 5281702a46e59a73c2745009420f5576f8e905fa5e2273b69f0b8a61f2be0fb9
Instruction Fuzzy Hash: 2F4186B1904204EFDB15CF98C884B9ABBB9EF44320F1584A9BD159F24AD7B0ED44DBA0

Function 00933D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00933E35
IsMenu.USER32(?), ref: 00933E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00933E92
DrawMenuBar.USER32 ref: 00933EA5

Strings

0, xrefs: 00933D89

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 202372ab023b6662598cc166e606d17e1096151f5155819c2203790e405f584f
Instruction ID: 5b47bcd05fdf94f7eed854c5907e4ed89642da0ef8edf514b26aa5a0940ab6f0
Opcode Fuzzy Hash: 202372ab023b6662598cc166e606d17e1096151f5155819c2203790e405f584f
Instruction Fuzzy Hash: 88416775A14209AFDB20DF64D884EAABBB9FF48350F048129F906A7250D730EE41DF61

Function 00901DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00901E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00901E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00901EA9

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Strings

ListBox, xrefs: 00901E25
ComboBox, xrefs: 00901DF0

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0974d0e8d7d93786bb2b24af980eb5dd924b23023a0e55b76b4d4c1185a21bf1
Instruction ID: 49f602dccf5e06a98654c4f7b552add4ce1acc879394de007e25ced2975f22b6
Opcode Fuzzy Hash: 0974d0e8d7d93786bb2b24af980eb5dd924b23023a0e55b76b4d4c1185a21bf1
Instruction Fuzzy Hash: 8321B571A00104BFEB14AB68DC46CFFB7BDEF46364B144529F865E71E1DB384A0A9A20

Function 0092C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092C9F1
_wcslen.LIBCMT ref: 0092CA68
_wcslen.LIBCMT ref: 0092CA9E
_wcslen.LIBCMT ref: 0092CAF9
_wcslen.LIBCMT ref: 0092CB2F
_wcslen.LIBCMT ref: 0092CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0092CA62, 0092CA67
HKLM, xrefs: 0092CA98, 0092CA9D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 6ec8c118d59f12500ffbc8c30ee273a147aedc47790b7ff98344cd312e4a4757
Instruction ID: 24c517410ccb1ef05cc74d28be297101a8036a78e848d737dd5d2ec8d3784f39
Opcode Fuzzy Hash: 6ec8c118d59f12500ffbc8c30ee273a147aedc47790b7ff98344cd312e4a4757
Instruction Fuzzy Hash: DE3128B3A005794BCB20EF6CE9505BE33A9ABA1794F054029E845AB34CE671CE84D3E1

Function 00932F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00932F8D
LoadLibraryW.KERNEL32(?), ref: 00932F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00932FA9
DestroyWindow.USER32(?), ref: 00932FB1

Strings

SysAnimate32, xrefs: 00932F68

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: bd191d559ebb069c31b2e6b20986c906c5acbc243e40a4a379bd2c44b40b68b1
Instruction ID: 6092be820a0190795863df689e5635504daeedd24efab0f5da4531348d8328c1
Opcode Fuzzy Hash: bd191d559ebb069c31b2e6b20986c906c5acbc243e40a4a379bd2c44b40b68b1
Instruction Fuzzy Hash: 7E219D72214205ABEB114FA4DC81FBB7BBDEF59368F104618FA50E61A0D771DC91AF60

Function 008C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008C4D1E,008D28E9,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002), ref: 008C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008C4D1E,008D28E9,?,008C4CBE,008D28E9,009688B8,0000000C,008C4E15,008D28E9,00000002,00000000), ref: 008C4DC3

Strings

CorExitProcess, xrefs: 008C4D98
mscoree.dll, xrefs: 008C4D86

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 07d7f7a75e1b849285b719a3ebad5fdce6aea5e738b8ae93d07ca0c29ed9441b
Instruction ID: e92002d9f51b6e272be3538c7711bb9f5afc5cabf50b755815dfa757644739fa
Opcode Fuzzy Hash: 07d7f7a75e1b849285b719a3ebad5fdce6aea5e738b8ae93d07ca0c29ed9441b
Instruction Fuzzy Hash: F2F0AF75A14208BBDB109F90DC09FADBBB5EF44751F0000A8FA06E2260CB709A80EF91

Function 008A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008A4EAE
FreeLibrary.KERNEL32(00000000,?,?,008A4EDD,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 008A4EA8
kernel32.dll, xrefs: 008A4E94

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ec66fdffab3810a85c8d2bfd32194bb62b0b4f4269be21cc70fb0a9df67703bb
Instruction ID: 813dfe94f731920a829d359a3ed41e22d8cbfbb5d8e1d6021af4514a59ad5b46
Opcode Fuzzy Hash: ec66fdffab3810a85c8d2bfd32194bb62b0b4f4269be21cc70fb0a9df67703bb
Instruction Fuzzy Hash: 98E08676A199225BA72117656C18A5B6554FFC2B72B050115FD05F2100DBA0CD01AAE1

Function 008A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008A4E74
FreeLibrary.KERNEL32(00000000,?,?,008E3CDE,?,00971418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008A4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 008A4E6E
kernel32.dll, xrefs: 008A4E5B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 103a80e717c7146643b55378db3e1bac2734388915f6ceaf4b296caa59f14f1f
Instruction ID: 64fb1c674ce9a11f7f3afd8d42db19c03e60af0f256221b3bc12a300d9172031
Opcode Fuzzy Hash: 103a80e717c7146643b55378db3e1bac2734388915f6ceaf4b296caa59f14f1f
Instruction Fuzzy Hash: E8D0C23651AE21576A221B247C08D8B6A18FFC2B253450111B805F2110CFA0CD11EAD0

Function 00912947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00912C05
DeleteFileW.KERNEL32(?), ref: 00912C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00912C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00912CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00912CC0

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 30262c5eede404a7d989935ce44faf895b5e562a6cd0043425734c00c388155e
Instruction ID: 9c79c063707db302606e37c81796f064f865f78e90316edd0c2ed1fef4e0f229
Opcode Fuzzy Hash: 30262c5eede404a7d989935ce44faf895b5e562a6cd0043425734c00c388155e
Instruction Fuzzy Hash: D9B12D71A0011DABDF11EBA4CC85EDEB7BDFF49350F1040AAF609E6151EA34DA948FA1

Function 0092A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0092A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0092A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0092A468
CloseHandle.KERNEL32(?), ref: 0092A63D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6a896964f47626f65b9c0cd4257e05c6c47455d644e20c72972062ad932bb4e6
Instruction ID: d3cad6daf184deeb77367f2964e4f9fb2bffd8e00590b9701d046af671069547
Opcode Fuzzy Hash: 6a896964f47626f65b9c0cd4257e05c6c47455d644e20c72972062ad932bb4e6
Instruction Fuzzy Hash: 18A17B716047009FE720DF28D886F2AB7E5AB84714F14881DF55ADB792DBB0EC418B92

Function 0090E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0090CF22,?), ref: 0090DDFD

Part of subcall function 0090DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0090CF22,?), ref: 0090DE16

Part of subcall function 0090E199: GetFileAttributesW.KERNEL32(?,0090CF95), ref: 0090E19A

lstrcmpiW.KERNEL32(?,?), ref: 0090E473
MoveFileW.KERNEL32(?,?), ref: 0090E4AC
_wcslen.LIBCMT ref: 0090E5EB
_wcslen.LIBCMT ref: 0090E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0090E650

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0aa9fb1272a0921b64fd5026687cabbb57ad4e71a689faec5c1e81d860c26519
Instruction ID: 31a06ba8f535a3c561461550a167be04384ee96591b48005fedebdbbfa0eabe3
Opcode Fuzzy Hash: 0aa9fb1272a0921b64fd5026687cabbb57ad4e71a689faec5c1e81d860c26519
Instruction Fuzzy Hash: C8515FB24087459FD724EB94D881ADBB3ECEF85340F00492EF589D3191EE75E6888B66

Function 0092B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 0092C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092B6AE,?,?), ref: 0092C9B5
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092C9F1
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA68
Part of subcall function 0092C998: _wcslen.LIBCMT ref: 0092CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0092BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0092BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0092BB63
RegCloseKey.ADVAPI32(?,?), ref: 0092BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0092BBB3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d868eec67ec51d51f1439b76c9ed5b23fad338c4e553f28f1c815fb169576008
Instruction ID: 0e49a3186391af7a0a0debd50d81ae201614786cae2e49a28fc35c11182a0cf5
Opcode Fuzzy Hash: d868eec67ec51d51f1439b76c9ed5b23fad338c4e553f28f1c815fb169576008
Instruction Fuzzy Hash: F561C271208241EFD714DF14D490E2ABBE9FF85308F14896CF4998B2A2DB31ED45CB92

Function 00908BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00908BCD
VariantClear.OLEAUT32 ref: 00908C3E
VariantClear.OLEAUT32 ref: 00908C9D
VariantClear.OLEAUT32(?), ref: 00908D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00908D3B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: af0c27b9c972ea647d54a8558991288101f443775590f30185df2cf839eec069
Instruction ID: 05b4721c853361c6eb486c5b8f0b8e63a1ce9ec5883a8d90b817dacbdc050ce8
Opcode Fuzzy Hash: af0c27b9c972ea647d54a8558991288101f443775590f30185df2cf839eec069
Instruction Fuzzy Hash: 77517CB5A10619EFCB10CF68C884AAAB7F9FF89310B158559F945DB390E730E911CF90

Function 00918AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00918BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00918BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00918C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00918C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00918C5F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 625754c05235cec9d88b814a8f0eeb96d40089cc82af7c2a9334103166386dbc
Instruction ID: 276487dbee38c681812c5e57802a5b530f0057cefa242c01a91988e4bcd19115
Opcode Fuzzy Hash: 625754c05235cec9d88b814a8f0eeb96d40089cc82af7c2a9334103166386dbc
Instruction Fuzzy Hash: 3F515B35A006189FDB00DF68C881AAEBBF5FF49314F088458E849AB362CB35ED51DF91

Function 00928EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00928F40
GetProcAddress.KERNEL32(00000000,?), ref: 00928FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00928FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00929032
FreeLibrary.KERNEL32(00000000), ref: 00929052

Part of subcall function 008BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00911043,?,753CE610), ref: 008BF6E6
Part of subcall function 008BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008FFA64,00000000,00000000,?,?,00911043,?,753CE610,?,008FFA64), ref: 008BF70D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ab3ac587ab8e7533759321eb7d300f3ed881512eaa3e69ced2561025fa0079dc
Instruction ID: ffe29bd329b9c865c70c0b280e8912ebc9687dfc3f695408b77fec0ee0d770f2
Opcode Fuzzy Hash: ab3ac587ab8e7533759321eb7d300f3ed881512eaa3e69ced2561025fa0079dc
Instruction Fuzzy Hash: D9514934A05215DFD700DF58C4948AEBBF5FF49314F0880A8E80AAB762DB31ED86CB91

Function 00936B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00936C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00936C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00936C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0091AB79,00000000,00000000), ref: 00936C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00936CC7

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ce6178c59ee9d3b6aa0d3e32240435f02d2fd806ff6cf9fe42ba4434b177c0e8
Instruction ID: 4214c965cf6208e5ef4080dfb7b33720ee9295f443b8f725616dbd42a416fb12
Opcode Fuzzy Hash: ce6178c59ee9d3b6aa0d3e32240435f02d2fd806ff6cf9fe42ba4434b177c0e8
Instruction Fuzzy Hash: 9441C775A08104BFDB24CF28CC55FA5BBA9EB09350F159268FAD9A72E0C371ED41DE50

Function 008D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008D20C3
_free.LIBCMT ref: 008D20E3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8e8611cbcb1a6d66dc78b8ed8e5fab3bc0ea18286ee703cb94c500d5fc1eb78d
Instruction ID: ae2da2fbd4f71bbbbe59a4ca48aecf3a7f313f622e24b814e276c6b7c3571ffc
Opcode Fuzzy Hash: 8e8611cbcb1a6d66dc78b8ed8e5fab3bc0ea18286ee703cb94c500d5fc1eb78d
Instruction Fuzzy Hash: C441D672A00204AFCB24DF78C881A6DB7B5FF99314F1546A9E615EB351D631ED01DB81

Function 008B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008B9141
ScreenToClient.USER32(00000000,?), ref: 008B915E
GetAsyncKeyState.USER32(00000001), ref: 008B9183
GetAsyncKeyState.USER32(00000002), ref: 008B919D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d13a4a808a5a3408c2fcab879fb2235d5dd1f56ef4317ded42def5f422839864
Instruction ID: 41c1fbd5360483edd79a08d2725a4bafbb923d688535278cf7dd4c7ad6ff3bae
Opcode Fuzzy Hash: d13a4a808a5a3408c2fcab879fb2235d5dd1f56ef4317ded42def5f422839864
Instruction Fuzzy Hash: 6B41AE71A0860AFBDF159F68C844BFEB774FF05324F208219E565E6290C7346994DF91

Function 00913874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00913922
TranslateMessage.USER32(?), ref: 0091394B
DispatchMessageW.USER32(?), ref: 00913955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00913966

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 9915ad801767bd9938fa114692e05d9f130e8319add8d75bbb645259469a7664
Instruction ID: f187232c96ed66111174191ad54e3e7de881e9f733440bb0384724d3695a3181
Opcode Fuzzy Hash: 9915ad801767bd9938fa114692e05d9f130e8319add8d75bbb645259469a7664
Instruction Fuzzy Hash: 9D31D771718349DFEB39CB399849FF63BBCEB05300F048569E466921A0E3B4AAC5DB11

Function 0091CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0091C21E,00000000), ref: 0091CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0091CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0091C21E,00000000), ref: 0091CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0091C21E,00000000), ref: 0091CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0091C21E,00000000), ref: 0091CFF2

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 5bea54499a6e684f4955df5ab896db794a8e46fb5498fee742b5a222c265d1f7
Instruction ID: 32e0a28c57af78f569d608bc2289204b4edbd4588148abb2f13455d8d223c8ea
Opcode Fuzzy Hash: 5bea54499a6e684f4955df5ab896db794a8e46fb5498fee742b5a222c265d1f7
Instruction Fuzzy Hash: 52314FB1644609AFDB20DFA5C884AEBBBFDEB14351B10442EF516E2251D730ED86DB60

Function 00901901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00901915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009019E2

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e0ba3c33a4679f4e16532ad222eed2f6577f9441a40770f8440866522f1a99b3
Instruction ID: d70fb4b4fa6fb39d5f7f098c8fe09eb838668d4974a4ef5d6ffb3bacd39b222e
Opcode Fuzzy Hash: e0ba3c33a4679f4e16532ad222eed2f6577f9441a40770f8440866522f1a99b3
Instruction Fuzzy Hash: 9D31D172A00219EFCB00CFA8DD99ADE3BB5EB45315F104229F931A72D1C7709D44DB90

Function 00935706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00935745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0093579D
_wcslen.LIBCMT ref: 009357AF
_wcslen.LIBCMT ref: 009357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00935816

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 52c71ad7541b4e1fa5489207900159fbfad433e0533531d2099f0f4a62e37e2c
Instruction ID: a61686e8538dd3ca20ff28258ceddeefdb7c8094bcfbc74e3b03bb95be689522
Opcode Fuzzy Hash: 52c71ad7541b4e1fa5489207900159fbfad433e0533531d2099f0f4a62e37e2c
Instruction Fuzzy Hash: E221D2719046189BDB209FA4CC89AEE7BBDFF08324F108216E929EA190D7708A85CF51

Function 00920930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00920951
GetForegroundWindow.USER32 ref: 00920968
GetDC.USER32(00000000), ref: 009209A4
GetPixel.GDI32(00000000,?,00000003), ref: 009209B0
ReleaseDC.USER32(00000000,00000003), ref: 009209E8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: bedd4360ab7aec1f1b73775ceb0201d1c7552b898d0c7e7f7277bd910cbe8b42
Instruction ID: 53c7e3360dc8b6cea30d2cfefd7e1fccc8bd90cc760f0b29c783398fc2f1e867
Opcode Fuzzy Hash: bedd4360ab7aec1f1b73775ceb0201d1c7552b898d0c7e7f7277bd910cbe8b42
Instruction Fuzzy Hash: 83216F75A00614AFD704EF69D885AAEBBE9EF85740F048468E84AE7762CB70AC44DF50

Function 008DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008DCDE9

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008DCE0F
_free.LIBCMT ref: 008DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008DCE31

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5032335c54e29bb350981ac7b56a1133d0349b0f1ca5101b13fc37f1f780e47d
Instruction ID: 31a465e0de5cd190fb57e8e9b1b790a14ef3d12bea555ab3be048cbc21a6a544
Opcode Fuzzy Hash: 5032335c54e29bb350981ac7b56a1133d0349b0f1ca5101b13fc37f1f780e47d
Instruction Fuzzy Hash: F101D8F26056167F232116BAAC48D7BBB6DFEC6BA1315032BF905D7300DB608D01E6B1

Function 008B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008B9693
SelectObject.GDI32(?,00000000), ref: 008B96A2
BeginPath.GDI32(?), ref: 008B96B9
SelectObject.GDI32(?,00000000), ref: 008B96E2

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 836418272c9f21caf40007e0b56a2e3800ae82b4f8d71b900954da8a57c673a9
Instruction ID: 6fba6e1375b124e15aa1354815571f11118b16d09c9252a8677151d66b8b6bd7
Opcode Fuzzy Hash: 836418272c9f21caf40007e0b56a2e3800ae82b4f8d71b900954da8a57c673a9
Instruction Fuzzy Hash: 4221B372829309EBDB108F6CEC047E97BB4FB61355F100216F654E62B0D3705886EF90

Function 008B990F Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008B98CC
SetTextColor.GDI32(?,?), ref: 008B98D6
SetBkMode.GDI32(?,00000001), ref: 008B98E9
GetStockObject.GDI32(00000005), ref: 008B98F1
GetWindowLongW.USER32(?,000000EB), ref: 008B9952

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 162ba42c083d00564e27180124c1a4c539a85e694e23811dd2e87ec26b9543e7
Instruction ID: 74762c2b8313bd11a258293a60c24563c02dc3db5c4ce822964935c04dcd51a4
Opcode Fuzzy Hash: 162ba42c083d00564e27180124c1a4c539a85e694e23811dd2e87ec26b9543e7
Instruction Fuzzy Hash: B621D1726492809FDB228F29EC55AE53F60FB16331B08019DE7D2DB2B2C7364981DB10

Function 00905711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00905726
_memcmp.LIBVCRUNTIME ref: 00905744
_memcmp.LIBVCRUNTIME ref: 00905757
_memcmp.LIBVCRUNTIME ref: 0090576F
_memcmp.LIBVCRUNTIME ref: 00905787

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 46e7530d65647f6d141438e2cf599ae2dd55a709ede3c7d144740670fa7b68e0
Instruction ID: cc7eac5dbc1e8b010a631e68eb5a12d3cb08eba7efc81f0565333045649f8cdb
Opcode Fuzzy Hash: 46e7530d65647f6d141438e2cf599ae2dd55a709ede3c7d144740670fa7b68e0
Instruction Fuzzy Hash: 0201B9A1681605BFD71855249E96FBB736DEF6239CF014024FD08DA2C2F774EE10AAA1

Function 008D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008CF2DE,008D3863,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6), ref: 008D2DFD
_free.LIBCMT ref: 008D2E32
_free.LIBCMT ref: 008D2E59
SetLastError.KERNEL32(00000000,008A1129), ref: 008D2E66
SetLastError.KERNEL32(00000000,008A1129), ref: 008D2E6F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ef4ce6fa96fd9408be92b8404c3130e6d241224803bcea38ed62811f15e1b395
Instruction ID: 46c76a60386301cf038ec66e64d245822e9498511f3c71475acaacee1fe96fe0
Opcode Fuzzy Hash: ef4ce6fa96fd9408be92b8404c3130e6d241224803bcea38ed62811f15e1b395
Instruction Fuzzy Hash: 4C01F472609A006BC61267386C45E2B2759FBF13B6B25472BF425E33D3EBB0CC016122

Function 0090000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?,?,0090035E), ref: 0090002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?), ref: 00900064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008FFF41,80070057,?,?), ref: 00900070

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 362df0e0339734f6e7d2121ceb2a69d1f2ba7b62b4f087e74ad0129632ff6226
Instruction ID: 2aba48274c6fe5fa54fd22abe1c7681d8aae7f7199fbeadb6488e261cd537492
Opcode Fuzzy Hash: 362df0e0339734f6e7d2121ceb2a69d1f2ba7b62b4f087e74ad0129632ff6226
Instruction Fuzzy Hash: C801A2B6610604BFDB104F68DC08BAA7AFDEF84791F144124F905E2250DB75DE40DBA0

Function 0090E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0090E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0090E9A5
Sleep.KERNEL32(00000000), ref: 0090E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0090E9B7
Sleep.KERNEL32 ref: 0090E9F3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a7eda483eb58c66cd5bd608ae74acdebbfd121ab8b8219faa6ffd3eb09c9cd6d
Instruction ID: 699a86768726dea1dd7bca041aa6344fdfbe7a2c0695706a42a911e225120f9b
Opcode Fuzzy Hash: a7eda483eb58c66cd5bd608ae74acdebbfd121ab8b8219faa6ffd3eb09c9cd6d
Instruction Fuzzy Hash: 05015771C09A2DDFCF00ABE5D849AEDBB78FB09301F000946E512B2290CB349650ABA1

Function 009010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00901114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 0090112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00900B9B,?,?,?), ref: 00901136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0090114D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1e77497275e2f6dc8428e545c46e470a62ee5470ba0b325a5a6cc32553dd93b0
Instruction ID: d1105a821413b499e34c3bc10b3639dbc91740d9b8d5ea9549bd3990393eb419
Opcode Fuzzy Hash: 1e77497275e2f6dc8428e545c46e470a62ee5470ba0b325a5a6cc32553dd93b0
Instruction Fuzzy Hash: FB0119B5214615BFDB154FA5DC49A6A3B6EEF893A0B204419FA45E73A0DB31DC00AF60

Function 00900FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00900FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00900FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00900FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00900FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00901002

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c918651e07f71c7d6fd7faaeb7d7f4067a241c8dee2e25b33393193188589e1c
Instruction ID: 0dc1237d26d594aa47392153fc4e5dec0913fefe95286d9ae08cd031d879c2cc
Opcode Fuzzy Hash: c918651e07f71c7d6fd7faaeb7d7f4067a241c8dee2e25b33393193188589e1c
Instruction Fuzzy Hash: 2DF049B5214701AFDB224FA49C49F563BADEF89762F104414FA85E72A1CA70DC50AF60

Function 00901014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0090102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00901036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0090104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901062

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 96c2ed976fa3eeacd162d0404c739a6c52b412db2d85061cbdda08f537fa1bc0
Instruction ID: 18970afcc610d3e14b844a97e517afa91fc01eab594285f44f220973c79c9eb2
Opcode Fuzzy Hash: 96c2ed976fa3eeacd162d0404c739a6c52b412db2d85061cbdda08f537fa1bc0
Instruction Fuzzy Hash: ABF06DB5214701EFDB215FA4EC49F563BADEF89B61F100414FA85E7290CA70D850AF60

Function 0091030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910324
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910331
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 0091033E
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 0091034B
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910358
CloseHandle.KERNEL32(?,?,?,?,0091017D,?,009132FC,?,00000001,008E2592,?), ref: 00910365

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8e31735e56c5c1e74a90c26e15472e798bbd5a29463b21347815cd9021d6a295
Instruction ID: 095103d8820fea49e929da173605c66b57ecf5c5cb6b60cdf20857c5a38ccc1a
Opcode Fuzzy Hash: 8e31735e56c5c1e74a90c26e15472e798bbd5a29463b21347815cd9021d6a295
Instruction Fuzzy Hash: 4F01A272900B199FCB30AF66D880452F7F9BF903153158A3FD1A652931C3B2A996DF80

Function 008DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008DD752

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008DD764
_free.LIBCMT ref: 008DD776
_free.LIBCMT ref: 008DD788
_free.LIBCMT ref: 008DD79A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: caf7627b778383241384037fdff42a9417d50ace8bbb14e521d53d867793d4b7
Instruction ID: 979a293d8cc32564ba72f73aad0cfcd8a989916de26bd1a7a2f97fc58eb7e340
Opcode Fuzzy Hash: caf7627b778383241384037fdff42a9417d50ace8bbb14e521d53d867793d4b7
Instruction Fuzzy Hash: 3AF06272554304BB8625FB68F9C1D267BDDFB44310B940A4BF098D7701C730FC80AA61

Function 00905C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00905C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00905C6F
MessageBeep.USER32(00000000), ref: 00905C87
KillTimer.USER32(?,0000040A), ref: 00905CA3
EndDialog.USER32(?,00000001), ref: 00905CBD

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8bbe411ee2846fa80fbbd1a8ca129cb0c98f2e03f81eda8746239c23be18ca9f
Instruction ID: d06f18121d98c0fc6f2eb90f409d6a737d3780f1917523a406023caba6b34051
Opcode Fuzzy Hash: 8bbe411ee2846fa80fbbd1a8ca129cb0c98f2e03f81eda8746239c23be18ca9f
Instruction Fuzzy Hash: DF01D171500B14AFFB205B10DE4FFA67BB8BB00B09F011559E583B10E0DBF4A9849F90

Function 008D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008D22BE

Part of subcall function 008D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000), ref: 008D29DE
Part of subcall function 008D29C8: GetLastError.KERNEL32(00000000,?,008DD7D1,00000000,00000000,00000000,00000000,?,008DD7F8,00000000,00000007,00000000,?,008DDBF5,00000000,00000000), ref: 008D29F0

_free.LIBCMT ref: 008D22D0
_free.LIBCMT ref: 008D22E3
_free.LIBCMT ref: 008D22F4
_free.LIBCMT ref: 008D2305

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 664c4bcad3cdb378f624335297d29918f67c7d7d71263ed02381d06b93b75718
Instruction ID: d07eaa8655b1b0bf172b208b6c25ed50ee288356b6d2d7ff21ab6f011108293f
Opcode Fuzzy Hash: 664c4bcad3cdb378f624335297d29918f67c7d7d71263ed02381d06b93b75718
Instruction Fuzzy Hash: 67F0D0B64291109BC622BF6CBC11D583F65F72CB51745064BF418D7372CB710591BBA5

Function 008B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008B95D4
StrokeAndFillPath.GDI32(?,?,008F71F7,00000000,?,?,?), ref: 008B95F0
SelectObject.GDI32(?,00000000), ref: 008B9603
DeleteObject.GDI32 ref: 008B9616
StrokePath.GDI32(?), ref: 008B9631

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 42c200347a3e5b7f4c8ba2b31d50a930ee7698bcec92fd86015795a363b1c5b6
Instruction ID: fc58a768d9a7e59905463722601aa4371eb2de4b1ef1aa6db02611cce1330f94
Opcode Fuzzy Hash: 42c200347a3e5b7f4c8ba2b31d50a930ee7698bcec92fd86015795a363b1c5b6
Instruction Fuzzy Hash: 14F0193602D648EBDB265F69ED1C7A83F61FB11362F048214F669A51F0C7308992FF20

Function 008D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008D10F9
__freea.LIBCMT ref: 008D1117

Part of subcall function 008D1537: _free.LIBCMT ref: 008D154F

Strings

a/p, xrefs: 008D11DE
am/pm, xrefs: 008D117A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 607a1f304f305a8c0b8d3a3733abe10e084f30f911dbabba2b6cb2ce2aa5661e
Instruction ID: 89b4f002e4fd4eb0442494bb488060f846a3e4c82c7ce36cf46b6b01f78c35ef
Opcode Fuzzy Hash: 607a1f304f305a8c0b8d3a3733abe10e084f30f911dbabba2b6cb2ce2aa5661e
Instruction Fuzzy Hash: 0FD1CF3190020AAADF289F68C85DBBAB7B1FF05704F28435BE905DBB51D7799D80CB91

Function 00927B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008C0242: EnterCriticalSection.KERNEL32(0097070C,00971884,?,?,008B198B,00972518,?,?,?,008A12F9,00000000), ref: 008C024D
Part of subcall function 008C0242: LeaveCriticalSection.KERNEL32(0097070C,?,008B198B,00972518,?,?,?,008A12F9,00000000), ref: 008C028A

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 008C00A3: __onexit.LIBCMT ref: 008C00A9

__Init_thread_footer.LIBCMT ref: 00927BFB

Part of subcall function 008C01F8: EnterCriticalSection.KERNEL32(0097070C,?,?,008B8747,00972514), ref: 008C0202
Part of subcall function 008C01F8: LeaveCriticalSection.KERNEL32(0097070C,?,008B8747,00972514), ref: 008C0235

Strings

5, xrefs: 00927C78
G, xrefs: 00927C7F
Variable must be of type 'Object'., xrefs: 00927C3A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2ef2ef553469b4a44babf958cf0687a42ec74bfbe5f1df511eb6e04b916b5f88
Instruction ID: 8a352c2c2e9b341d1529319ce023f22cd6560aa75bf97cb16fd96c5020e49ed3
Opcode Fuzzy Hash: 2ef2ef553469b4a44babf958cf0687a42ec74bfbe5f1df511eb6e04b916b5f88
Instruction Fuzzy Hash: 57918A70A04219EFCB14EF98E8919ADB7B5FF45300F108459F846AB3A6DB31AE41CB52

Function 00902716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0090B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009021D0,?,?,00000034,00000800,?,00000034), ref: 0090B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00902760

Part of subcall function 0090B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0090B3F8

Part of subcall function 0090B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0090B355
Part of subcall function 0090B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00902194,00000034,?,?,00001004,00000000,00000000), ref: 0090B365
Part of subcall function 0090B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00902194,00000034,?,?,00001004,00000000,00000000), ref: 0090B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0090281A

Strings

@, xrefs: 00902832

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 05c0fad8981e2b8401c7c0a3a41eb4aa5f95cd5f9b6a613a876c4bfd5160ec88
Instruction ID: 06126a71050f6bf3fe7829e1f25c21111dc34b82ae198a667e4b77eb1a2a79ec
Opcode Fuzzy Hash: 05c0fad8981e2b8401c7c0a3a41eb4aa5f95cd5f9b6a613a876c4bfd5160ec88
Instruction Fuzzy Hash: 0B414C76901218AFDB10DFA4CD46BEEBBB8EF49300F108095FA55B7191DB706E45CBA1

Function 008D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008D1769
_free.LIBCMT ref: 008D1834
_free.LIBCMT ref: 008D183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008D1760, 008D1767, 008D1796, 008D17CE

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 31cd0de53061c45b3628a845fce2bc81acbaccc8e8555966f6f2394edc987b41
Instruction ID: f0a1a7a39d0c59dc7f2243f0ed5d041099038e8dcb8f14d3152b876acc64d598
Opcode Fuzzy Hash: 31cd0de53061c45b3628a845fce2bc81acbaccc8e8555966f6f2394edc987b41
Instruction Fuzzy Hash: A0316F75A04218BBDF21DB99D889D9EBBFCFF95710B144267F404D7312D6708A40EB91

Function 0090C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0090C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0090C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00971990,01345908), ref: 0090C395

Strings

0, xrefs: 0090C2DF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 16524dcd04f2572f7fa8183051b95a5a1057b26cc41fc3bb63a024c43c75c299
Instruction ID: 94bcfb0217da53e202c9587ccccf5608a562287b8355b86e9067020dcd81702c
Opcode Fuzzy Hash: 16524dcd04f2572f7fa8183051b95a5a1057b26cc41fc3bb63a024c43c75c299
Instruction Fuzzy Hash: C541A0B12183019FDB20DF29D884B5ABBE8EF85321F148B1DF9A5972D1D730E904CB62

Function 00934416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0093CC08,00000000,?,?,?,?), ref: 009344AA
GetWindowLongW.USER32 ref: 009344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009344D7

Strings

SysTreeView32, xrefs: 0093447C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b1faa37f096567bb82f38ec8c7ff50aa918ef0ee6f1215c7bd2c9aad708907ca
Instruction ID: 7ea707590ce6278e30360a07f89b9b1ad02336a77fd06cf1373a3778de46ed9e
Opcode Fuzzy Hash: b1faa37f096567bb82f38ec8c7ff50aa918ef0ee6f1215c7bd2c9aad708907ca
Instruction Fuzzy Hash: 1131AB72214605AFDB209E38DC45BEA7BA9EB09338F214725F979E22E0D770EC519B50

Function 0092304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0092335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00923077,?,?), ref: 00923378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0092307A
_wcslen.LIBCMT ref: 0092309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00923106

Strings

255.255.255.255, xrefs: 00923095, 0092309A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: f3a20b438c9ae6ac08abf08970e6b3cf479e0fc949fae867f7ea749c6e557955
Instruction ID: 0273c18833a827c373f4c43c0d8743670ba571f2bf3358837859294adb26ea5a
Opcode Fuzzy Hash: f3a20b438c9ae6ac08abf08970e6b3cf479e0fc949fae867f7ea749c6e557955
Instruction Fuzzy Hash: 0E31D0352042219FCB20CF68E486EAA77E4EF15318F24C459E8158B396CB3AEE45CB71

Function 00933EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00933F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00933F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00933F78

Strings

SysMonthCal32, xrefs: 00933F0B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1c779fa67568c1c345a2247d849f3f8100744a6f5f5ca908f4d945dc45367973
Instruction ID: 2d6ad234f5db79aac0115f1a9c16b935e3f00467bef11c5b3fe33310678305ac
Opcode Fuzzy Hash: 1c779fa67568c1c345a2247d849f3f8100744a6f5f5ca908f4d945dc45367973
Instruction Fuzzy Hash: E621BF32650219BFEF218F94CC46FEA3B79EB88718F114214FA15BB1D0D6B5AC909B90

Function 00934653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00934705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00934713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0093471A

Strings

msctls_updown32, xrefs: 00934684

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f31bc6e15e4e04362dab25efc66d6d5083b863172b7aba7126b53e811022792f
Instruction ID: 4357b0a8b60b9ff911187ba552f0b6636da18df6059fb0b0d03dddedc28ae1e3
Opcode Fuzzy Hash: f31bc6e15e4e04362dab25efc66d6d5083b863172b7aba7126b53e811022792f
Instruction Fuzzy Hash: 8C215EB5604209AFEB10DF68DC81DA737ADEB5A3A8B050059FA059B251CB70FC51DE60

Function 009095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090961D

Strings

#requireadmin, xrefs: 009095D9
#notrayicon, xrefs: 009095B7
#OnAutoItStartRegister, xrefs: 009095F3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: fdb941eacd2329dea0e3621ec7e803d380ab8b26aad766a6e0cf9b79e689191c
Instruction ID: 1260e3fad5442fd90a363d593365916baedcb062c3e2b6de58678d82fe68eecc
Opcode Fuzzy Hash: fdb941eacd2329dea0e3621ec7e803d380ab8b26aad766a6e0cf9b79e689191c
Instruction Fuzzy Hash: 9F213872104611AED331AA299C16FB773ECEF91300F10442AF949DB1C3EB66DD41D296

Function 009337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00933840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00933850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00933876

Strings

Listbox, xrefs: 0093380F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7ab8711ebcac30e30584158067bf1da0818618f8e93ed45f2d1131258d7d6e8b
Instruction ID: e53f7fe929fbb601f3dde5981ef44579231648897e94669a9ad68321bddd8886
Opcode Fuzzy Hash: 7ab8711ebcac30e30584158067bf1da0818618f8e93ed45f2d1131258d7d6e8b
Instruction Fuzzy Hash: 5B21A172654218BBEF218FA4DC85FBB376EEF89764F11C124F905AB190C671DC528BA0

Function 009149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00914A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00914A5C
SetErrorMode.KERNEL32(00000000,?,?,0093CC08), ref: 00914AD0

Strings

%lu, xrefs: 00914A6F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 8bb39496aaf81c86ce2f8f42d8e8ba8cc8ccf236267d493424109ceb6e47fd3b
Instruction ID: eaa645135d95816b93d31f45fee326e20d83ae1a27acf1ff38927aa40cf6047a
Opcode Fuzzy Hash: 8bb39496aaf81c86ce2f8f42d8e8ba8cc8ccf236267d493424109ceb6e47fd3b
Instruction Fuzzy Hash: 9C318F75A04108AFDB10DF58C885EAA7BF8FF09318F1480A4F909EB252D771EE45DB62

Function 009341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0093424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00934264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00934271

Strings

msctls_trackbar32, xrefs: 00934226

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7267bf1df6ff0816974b9b812188c12957739dde21cd8d76f53a0d45ee0b139b
Instruction ID: 31053619b3e0d70db68087b0989187e6bec88f4b2e439997b334f4a36f038c64
Opcode Fuzzy Hash: 7267bf1df6ff0816974b9b812188c12957739dde21cd8d76f53a0d45ee0b139b
Instruction Fuzzy Hash: B4110631240208BFEF205F69CC06FAB3BACEF95B58F020514FA55F20A0D271EC619B10

Function 00902F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A6B57: _wcslen.LIBCMT ref: 008A6B6A

Part of subcall function 00902DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00902DC5
Part of subcall function 00902DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00902DD6
Part of subcall function 00902DA7: GetCurrentThreadId.KERNEL32 ref: 00902DDD
Part of subcall function 00902DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00902DE4

GetFocus.USER32 ref: 00902F78

Part of subcall function 00902DEE: GetParent.USER32(00000000), ref: 00902DF9

GetClassNameW.USER32(?,?,00000100), ref: 00902FC3
EnumChildWindows.USER32(?,0090303B), ref: 00902FEB

Strings

%s%d, xrefs: 00902FFF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0db2ce897d24747e4328f7ca41018035717a3bae9b0ad5195c33fa8b469554e8
Instruction ID: 1cbb73910fd4c66609212be36dcee249d86a3eac32900ce4efbe76aba928e9ff
Opcode Fuzzy Hash: 0db2ce897d24747e4328f7ca41018035717a3bae9b0ad5195c33fa8b469554e8
Instruction Fuzzy Hash: B81190B1600205ABDF157F648C8AEED776EAF84318F049075B909AB2D2DE3099459B70

Function 00935882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009358EE
DrawMenuBar.USER32(?), ref: 009358FD

Strings

0, xrefs: 0093588F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4a22e72f12bad90e4d5e2d9bc0626b99f170ea14ccdc618cd4eca597e9d968b8
Instruction ID: a701943c0fb6234cad32916fa0a36aa5d223cffbdadb5bb355708549ad8a0d3c
Opcode Fuzzy Hash: 4a22e72f12bad90e4d5e2d9bc0626b99f170ea14ccdc618cd4eca597e9d968b8
Instruction Fuzzy Hash: F6018B71504208EFDB209F11DC48BAFBBB9FB49360F008099F848DA261DB308A80EF21

Function 0090007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4806d44924b9b17b2ee6495fc086abe4c3440ae3859738e10957a591ead2c03c
Instruction ID: 8eae75f19c30ab7de9bd3886025bcd6c261d8e7a8a46062b4c65bcde94a9c779
Opcode Fuzzy Hash: 4806d44924b9b17b2ee6495fc086abe4c3440ae3859738e10957a591ead2c03c
Instruction Fuzzy Hash: C2C12B75A0020AEFDB15CF98C894BAEB7B9FF88704F108598E515EB291D731DE41DB90

Function 008D3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008D3F0B
__alldvrm.LIBCMT ref: 008D410C
__alldvrm.LIBCMT ref: 008D412E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: c2f97a41250226596964ec8a8226450f4290435edfaae378c4e120611d222d7f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: FAA12572A0078A9FDB25CF18C891BAEBBE5FF61350F18426EE585DB381C6348D81C751

Function 0092342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00923459
CoUninitialize.OLE32 ref: 00923463
VariantInit.OLEAUT32(?), ref: 0092346E
VariantClear.OLEAUT32(?), ref: 0092371B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 55430e1758ddd94ba43969babca8d80ef873198396a571e4d616f9b8bcf4e5ff
Instruction ID: 59205bf8a46ca652832df316f592c066a8f2347aea4da1a7a2bef34b8e90cb37
Opcode Fuzzy Hash: 55430e1758ddd94ba43969babca8d80ef873198396a571e4d616f9b8bcf4e5ff
Instruction Fuzzy Hash: 6EA15D756043109FD710EF28D885A2AB7E9FF89710F048859F98ADB366DB34ED01CB92

Function 00900436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0093FC08,?), ref: 009005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0093FC08,?), ref: 00900608
CLSIDFromProgID.OLE32(?,?,00000000,0093CC40,000000FF,?,00000000,00000800,00000000,?,0093FC08,?), ref: 0090062D
_memcmp.LIBVCRUNTIME ref: 0090064E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 278d90c821901c28aa2237b84a959b0e05f03d48de66e9cb3653de630e510db3
Instruction ID: bd7c4cd2a6d43e465851d6576604f0dab86998134bfc16051ca460f9f53ef0a8
Opcode Fuzzy Hash: 278d90c821901c28aa2237b84a959b0e05f03d48de66e9cb3653de630e510db3
Instruction Fuzzy Hash: 4281E875A00109EFCB04DF94C984EEEB7BAFF89315F204558F506AB290DB71AE06CB60

Function 0092A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0092A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0092A6BA

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0092A79C
CloseHandle.KERNEL32(00000000), ref: 0092A7AB

Part of subcall function 008BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008E3303,?), ref: 008BCE8A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 48beeb30f58746f280b8a040758237e7382e655616f687e1b48ea831bc7d9335
Instruction ID: eb2b1bb9b189d8ec863867f8a4aa74153200910488d541dc9474718510f73eb7
Opcode Fuzzy Hash: 48beeb30f58746f280b8a040758237e7382e655616f687e1b48ea831bc7d9335
Instruction Fuzzy Hash: 2C512CB15083109FD710EF28D886A6BBBE8FF89754F04892DF595D7251EB70E904CB92

Function 008E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008E14C0

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8ecaafd4eddc9a7e6089908ec6f5ee64a61da8e224a0e8e5757ebe8e34d15148
Instruction ID: 95e0df1a3eba4bbdf6790cf1a05bfe993dd5a0b211da71d6a1f692f721ffcaf0
Opcode Fuzzy Hash: 8ecaafd4eddc9a7e6089908ec6f5ee64a61da8e224a0e8e5757ebe8e34d15148
Instruction Fuzzy Hash: 5F413A31600554ABEF217BBE8C49BAE3BB6FF43334F14422AF418D23D2E67488419267

Function 00936278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009362E2
ScreenToClient.USER32(?,?), ref: 00936315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00936382

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7dcd17ee3fde7a4bd1c50699fc4ca1206e4c3f37573779db197a252bb5ca9084
Instruction ID: ee8c54f7e9a1718529b6995fad12445d51d03a08e0d1a0f60a0b2b65eb12e94f
Opcode Fuzzy Hash: 7dcd17ee3fde7a4bd1c50699fc4ca1206e4c3f37573779db197a252bb5ca9084
Instruction Fuzzy Hash: EB512975A00209AFDF14DF68D881AAE7BBAFB45360F108169F9659B2A0D730ED81DF50

Function 00921AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00921AFD
WSAGetLastError.WSOCK32 ref: 00921B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00921B8A
WSAGetLastError.WSOCK32 ref: 00921B94

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: cb6bbfa7ca57ab4c6b89e1af6ede0ac0dbeecae3d26cc0164a3893a9c88fc81e
Instruction ID: a56b2af6e4d9612e7fe4743ee1e6a246907ebc34831a990d4f8281925d040916
Opcode Fuzzy Hash: cb6bbfa7ca57ab4c6b89e1af6ede0ac0dbeecae3d26cc0164a3893a9c88fc81e
Instruction Fuzzy Hash: 8341F074600200AFE720AF28D886F2A77E5EB44708F548448F91A9F7D7E772ED41CB91

Function 008DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388e18e054701a0d3e1f4aaf335733847804b313a42ed2947b1401b14e082062
Instruction ID: 7badada756d7fd85f66ebaa0e467f52ddca7bb17b0b174905abaade70d9f6469
Opcode Fuzzy Hash: 388e18e054701a0d3e1f4aaf335733847804b313a42ed2947b1401b14e082062
Instruction Fuzzy Hash: 3D41CF75A00244EFE724DE3CC841BAABBAAFB88720F11462FF141DB382D77199018791

Function 009156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00915783
GetLastError.KERNEL32(?,00000000), ref: 009157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009157FA

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bbcda836b6600244e121f94fd970b1bfbe309e05bac2537320c09a9b581f50d6
Instruction ID: 51906b4e2e2d014bf4eaf03d8b8375a0b1cd442963a00031d98dce946e20dcbd
Opcode Fuzzy Hash: bbcda836b6600244e121f94fd970b1bfbe309e05bac2537320c09a9b581f50d6
Instruction Fuzzy Hash: B2411F39600614DFDB11EF19C545A5EBBE6FF89310B19C488E84AAB762CB34FD40DB91

Function 008DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008C6D71,00000000,00000000,008C82D9,?,008C82D9,?,00000001,008C6D71,8BE85006,00000001,008C82D9,008C82D9), ref: 008DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008DD9AB
__freea.LIBCMT ref: 008DD9B4

Part of subcall function 008D3820: RtlAllocateHeap.NTDLL(00000000,?,00971444,?,008BFDF5,?,?,008AA976,00000010,00971440,008A13FC,?,008A13C6,?,008A1129), ref: 008D3852

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2c5cddd5e7b34bb44133d9fcd1e58b6ad0ab26b3b985dd43e4e12724065cc8b4
Instruction ID: 00710c0cc3e5b5dc7becf3dbd30357b73bfa212be6445b713aedd54a74a51b89
Opcode Fuzzy Hash: 2c5cddd5e7b34bb44133d9fcd1e58b6ad0ab26b3b985dd43e4e12724065cc8b4
Instruction Fuzzy Hash: 2531D072A0020ABBDF249F68DC91EAE7BA5FB40310F054269FC04E7250EB36DD50DB91

Function 009352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00935352
GetWindowLongW.USER32(?,000000F0), ref: 00935375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00935382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009353A8

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: fd6e5f814914ccd4f1496ce1d39db65a857cfe4832a563f73858a6862287421a
Instruction ID: 68e47fe6b47f4d935e47636401d840bb5f46057c017dedf502ed6440898bdf1a
Opcode Fuzzy Hash: fd6e5f814914ccd4f1496ce1d39db65a857cfe4832a563f73858a6862287421a
Instruction Fuzzy Hash: 6231C575A59A08EFEB349F18CC06BE8776AEB0D3D0F594501FA10961E1C7B49D80EF42

Function 0090AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0090ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0090AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0090AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0090ACC6

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3bb0ef27bb883d212ec6a44d9ba7d98e22cdbb6862a64a78f635a98b8670afb0
Instruction ID: 428d155513763f1690146663b0514c28b182645b7071428eabdd40eefad75dec
Opcode Fuzzy Hash: 3bb0ef27bb883d212ec6a44d9ba7d98e22cdbb6862a64a78f635a98b8670afb0
Instruction Fuzzy Hash: C5312470A04728AFFF35CB658C097FE7BA9AB89310F05471AE4C5961D1C3788D8197D2

Function 00937674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0093769A
GetWindowRect.USER32(?,?), ref: 00937710
PtInRect.USER32(?,?,00938B89), ref: 00937720
MessageBeep.USER32(00000000), ref: 0093778C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 00ea199bd289b865f8b49f332a6a3b74cd1719e6a4e35fb0e1a6fba81b8456f0
Instruction ID: 182fa0473dd92b5ba9a80ff003670deb422c88702bb8eb9869e65cb3227c96b2
Opcode Fuzzy Hash: 00ea199bd289b865f8b49f332a6a3b74cd1719e6a4e35fb0e1a6fba81b8456f0
Instruction Fuzzy Hash: DA41AEB5609219EFCB21CF98D895FA9B7F5FF49314F1440A8E5169B261C330E942DF90

Function 009316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009316EB

Part of subcall function 00903A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00903A57
Part of subcall function 00903A3D: GetCurrentThreadId.KERNEL32 ref: 00903A5E
Part of subcall function 00903A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009025B3), ref: 00903A65

GetCaretPos.USER32(?), ref: 009316FF
ClientToScreen.USER32(00000000,?), ref: 0093174C
GetForegroundWindow.USER32 ref: 00931752

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 8645950bc59b298bfe7d7245cade2619e92bdbfffe5379a9f47bdc6b6249cf0b
Instruction ID: 4f940a589185f28efb29e6a31f815262127e7326d1b079181abf793eec4077a4
Opcode Fuzzy Hash: 8645950bc59b298bfe7d7245cade2619e92bdbfffe5379a9f47bdc6b6249cf0b
Instruction Fuzzy Hash: C3315071E00109AFD700DFA9C881DAEB7FDFF89304B548069E416E7611EA319E45CFA1

Function 00938FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

GetCursorPos.USER32(?), ref: 00939001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008F7711,?,?,?,?,?), ref: 00939016
GetCursorPos.USER32(?), ref: 0093905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008F7711,?,?,?), ref: 00939094

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 63edf49b1bb08b460545ccda31c54e9e9f23cddc0c65fb2ca608ed86d8ec253b
Instruction ID: 1ec2a7fc95b5555c73709164ec20dbd0eb3fabe2a6eb0d047da48692d5ef8b03
Opcode Fuzzy Hash: 63edf49b1bb08b460545ccda31c54e9e9f23cddc0c65fb2ca608ed86d8ec253b
Instruction Fuzzy Hash: 4621BF36615118EFCB298F98C858FEA3BB9EB49360F004055F90597261C3719D90EF60

Function 0090D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0093CB68), ref: 0090D2FB
GetLastError.KERNEL32 ref: 0090D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0090D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0093CB68), ref: 0090D376

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 802bf77f3833d8dcf5cb9f0ec00db042c1ad2a0e4d86669828eb9fd07cba7b4f
Instruction ID: e6a4b4055bffe489523d6dca259c16fda3a0155affa44ca533ea822def29b2d9
Opcode Fuzzy Hash: 802bf77f3833d8dcf5cb9f0ec00db042c1ad2a0e4d86669828eb9fd07cba7b4f
Instruction Fuzzy Hash: A2217F7150A3019FC710DF68C88186AB7E8FE96768F104A1DF4A9D72E1D731DA46CB93

Function 00901571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00901014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0090102A
Part of subcall function 00901014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00901036
Part of subcall function 00901014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901045
Part of subcall function 00901014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0090104C
Part of subcall function 00901014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00901062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009015BE
_memcmp.LIBVCRUNTIME ref: 009015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00901617
HeapFree.KERNEL32(00000000), ref: 0090161E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f55000c8e80c7b692fa3176f8d1d1cc5061a17803d5a88f049f0edc3a0d72aa0
Instruction ID: 6bee8ebb9c5663809c43a63fe9f58e8bf591bbd7c5eb915e078ba52a9b67e4c3
Opcode Fuzzy Hash: f55000c8e80c7b692fa3176f8d1d1cc5061a17803d5a88f049f0edc3a0d72aa0
Instruction Fuzzy Hash: F4214872E00109EFDF14DFA4CD49BEEB7B8EF84354F184459E441AB281E771AA45DBA0

Function 00932782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0093280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00932824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00932832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00932840

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 901951576a15d302642c49a596f15864849f1e7ccff24a65b7a2f2e3ce3725b0
Instruction ID: 48b95077e9951dde59fc28654ea7643a39b4942ab00000776c95bcf2d54642c1
Opcode Fuzzy Hash: 901951576a15d302642c49a596f15864849f1e7ccff24a65b7a2f2e3ce3725b0
Instruction Fuzzy Hash: C421B031608611AFE7149B24C855FAA7B99FF86324F148158F426CB6E2CB75FC82CF91

Function 009078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00908D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0090790A,?,000000FF,?,00908754,00000000,?,0000001C,?,?), ref: 00908D8C
Part of subcall function 00908D7D: lstrcpyW.KERNEL32(00000000,?,?,0090790A,?,000000FF,?,00908754,00000000,?,0000001C,?,?,00000000), ref: 00908DB2
Part of subcall function 00908D7D: lstrcmpiW.KERNEL32(00000000,?,0090790A,?,000000FF,?,00908754,00000000,?,0000001C,?,?), ref: 00908DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00908754,00000000,?,0000001C,?,?,00000000), ref: 00907923
lstrcpyW.KERNEL32(00000000,?,?,00908754,00000000,?,0000001C,?,?,00000000), ref: 00907949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00908754,00000000,?,0000001C,?,?,00000000), ref: 00907984

Strings

cdecl, xrefs: 0090797B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 527888c3b15f6b162870f399c6c6620dc840e36f674722159c74eac7aab71155
Instruction ID: 23b9c6f62ae0c5054ae950cf99e4e14224cd9c19ff22ea55044bb70c2bf5f59e
Opcode Fuzzy Hash: 527888c3b15f6b162870f399c6c6620dc840e36f674722159c74eac7aab71155
Instruction Fuzzy Hash: E811E43A204201AFCB155F78C845E7BB7A9FF853A0B00402AF942CB2A4EB319811D7A1

Function 00937CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00937D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00937D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00937D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0091B7AD,00000000), ref: 00937D6B

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6ce69214151e82104c88c1cdce84669b835b34f1e574c1f6f81444daa91f2bde
Instruction ID: db391f67abcce8fb7662f7bd232ee0b46defd15677a233bb11e8a18aadca3f14
Opcode Fuzzy Hash: 6ce69214151e82104c88c1cdce84669b835b34f1e574c1f6f81444daa91f2bde
Instruction Fuzzy Hash: CD11D2B2118655AFCB208F68DC04AA67BA8AF45360F118724F939D72F0D7308951EF50

Function 00935660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009356BB
_wcslen.LIBCMT ref: 009356CD
_wcslen.LIBCMT ref: 009356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00935816

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b1ba712644eead9c3642cd5f52b08c28060ecb67bc23cb6c1581961873ed46a8
Instruction ID: bd22d7acb7ecd04194e686aa6bfd4ef04c6175f4f78f93a713c90b27c3908558
Opcode Fuzzy Hash: b1ba712644eead9c3642cd5f52b08c28060ecb67bc23cb6c1581961873ed46a8
Instruction Fuzzy Hash: 5811037560061896DB20DF65CC86AEE77BCFF09764F50442AF905D6091EB74CA84CF60

Function 008D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb9c67d6e5ab88c37a402a435400e0308baec5bf3508f6fd63cdbd4560d8ca3
Instruction ID: fd783765e961b270c1c96c689536ca4fd9c8146918471acbfc80b3bbbb87c01a
Opcode Fuzzy Hash: 7eb9c67d6e5ab88c37a402a435400e0308baec5bf3508f6fd63cdbd4560d8ca3
Instruction Fuzzy Hash: 7F014FB2219A1A7EFA2126B86CC5F67671EFF513B8B340327F521E13D2DB608C40A561

Function 00901A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00901A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00901A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00901A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00901A8A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24167ada9014aa724f02c677121b5de5686c55f3a126e221efb24b1966966e5d
Instruction ID: d34deb2e8c2f2621d00756277af96903a9bf4bc76f91fa3df6b94d8fdbfad89a
Opcode Fuzzy Hash: 24167ada9014aa724f02c677121b5de5686c55f3a126e221efb24b1966966e5d
Instruction Fuzzy Hash: B011F77AA01219FFEF119BA5CD85FADBBB8EB08754F200091EA04B7290D6716E50DB94

Function 0090E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0090E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0090E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0090E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0090E24D

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 0e0099c390c996c0fe1f4bfbdb290cf3ea5f85a0a3873f70dde96a131fabd4f7
Instruction ID: 5588df4665368a71fac795fccd6ca66686e3d15dc2049e587a44dbfe6004bf93
Opcode Fuzzy Hash: 0e0099c390c996c0fe1f4bfbdb290cf3ea5f85a0a3873f70dde96a131fabd4f7
Instruction Fuzzy Hash: 181108B691C214BFC7019BAC9C09A9E7FACEB45314F004619F824E32D0D270CD009BA0

Function 008CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008CCFF9,00000000,00000004,00000000), ref: 008CD218
GetLastError.KERNEL32 ref: 008CD224
__dosmaperr.LIBCMT ref: 008CD22B
ResumeThread.KERNEL32(00000000), ref: 008CD249

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 54635bd63a5abd0069cc75af25a92ca9cea6fd3664268439ae8283cada0bb15a
Instruction ID: a9fcaae43ff0d3cdc999326d1d977147e77532f5ab25e21b31a0b5f397f75cc9
Opcode Fuzzy Hash: 54635bd63a5abd0069cc75af25a92ca9cea6fd3664268439ae8283cada0bb15a
Instruction Fuzzy Hash: 3C01C476415608BBD7116BA9DC09FAA7A79FF81330F10422EF925D21D1CB71D901D7A1

Function 00939EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 008B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008B9BB2

GetClientRect.USER32(?,?), ref: 00939F31
GetCursorPos.USER32(?), ref: 00939F3B
ScreenToClient.USER32(?,?), ref: 00939F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00939F7A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: a4ba8ef61c2021d0a86113a356fe0d2d431f2d713ca81f63afdec2bd8bef6cb2
Instruction ID: 33361adbd2e6514694a8b3d3cf93eb8eca8569b24bd95da8c91ceb46d91761db
Opcode Fuzzy Hash: a4ba8ef61c2021d0a86113a356fe0d2d431f2d713ca81f63afdec2bd8bef6cb2
Instruction Fuzzy Hash: D911457290461AABDB10EFA8D889AEE77B8FB45311F004451F912E3140D770BE81DFA1

Function 008A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008A604C
GetStockObject.GDI32(00000011), ref: 008A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 008A606A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 32ce4b28c8f24cea31a3f38d0fdb8055ce9d0d8fb566ce961dab533aec0f7e6c
Instruction ID: 6436c48961b5fa6d3af1a0b09e0e869706eb48340f1e72fc337e8e760016581d
Opcode Fuzzy Hash: 32ce4b28c8f24cea31a3f38d0fdb8055ce9d0d8fb566ce961dab533aec0f7e6c
Instruction Fuzzy Hash: 4011A1B3105909BFEF124FA49C44EEA7B69FF19364F040101FA15A2020D7329CA0EF90

Function 008C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008C3B56

Part of subcall function 008C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008C3AD2
Part of subcall function 008C3AA3: ___AdjustPointer.LIBCMT ref: 008C3AED

_UnwindNestedFrames.LIBCMT ref: 008C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008C3BA4

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1cc7737da65ab2aa85d9baf5fd505c2770a5766a9c5c64dbab58bbef61d863cc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 9E01E932100149BBDF125E99CC46EEB7B7DFF58764F048018FE48A6121C732E962DBA1

Function 008D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008A13C6,00000000,00000000,?,008D301A,008A13C6,00000000,00000000,00000000,?,008D328B,00000006,FlsSetValue), ref: 008D30A5
GetLastError.KERNEL32(?,008D301A,008A13C6,00000000,00000000,00000000,?,008D328B,00000006,FlsSetValue,00942290,FlsSetValue,00000000,00000364,?,008D2E46), ref: 008D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008D301A,008A13C6,00000000,00000000,00000000,?,008D328B,00000006,FlsSetValue,00942290,FlsSetValue,00000000), ref: 008D30BF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 722afac2ef4c2b2cd9ca902657cfe287248dfe5c8056033fbd320d7b153c5724
Instruction ID: 30ba5eb35ab83f3037ba43c39225607176545f0ca76a4a4cc1a6cfdf327ee006
Opcode Fuzzy Hash: 722afac2ef4c2b2cd9ca902657cfe287248dfe5c8056033fbd320d7b153c5724
Instruction Fuzzy Hash: 7E01F772319A26ABCB314B78AC449577B98FF45B61B140721F915F3340C721DD01CBE1

Function 00907464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0090747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00907497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009074CA

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 19a0812e4e19fb69c30d7397543eb8d5d42d0043da7f1c7f7864dc273bea441d
Instruction ID: fce25cdf612cec4a581b4902131027a704ed5d8dd6f5979bf8d262cffc0a861e
Opcode Fuzzy Hash: 19a0812e4e19fb69c30d7397543eb8d5d42d0043da7f1c7f7864dc273bea441d
Instruction Fuzzy Hash: 9D11A1B5A09714DFE7208F94DC08B92BBFDEB00B10F108969A656D61A1D7B4F904DF60

Function 0090B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0090ACD3,?,00008000), ref: 0090B126

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d110ef8cca97b1c818562756d85c4f222bd1de6261fa2528eec7debfc7e57004
Instruction ID: f80aebaf962f2ac4ee49fac5f32e885cea9a3c94e1dee395cd009f466a4ce5fd
Opcode Fuzzy Hash: d110ef8cca97b1c818562756d85c4f222bd1de6261fa2528eec7debfc7e57004
Instruction Fuzzy Hash: C8116D71C0992DEFCF00AFE4E9A8AEEBBB8FF09711F114485D941B2285CB3456609B91

Function 00937E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00937E33
ScreenToClient.USER32(?,?), ref: 00937E4B
ScreenToClient.USER32(?,?), ref: 00937E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00937E8A

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 628637ff2bbbf97d8b8bd75415c674c389bc25174618efac7f4ba2b66115b2f7
Instruction ID: ae19bbe15713d2a1ebb789e853da4a87ebd8d0e4540753cd46c72be7244ccb34
Opcode Fuzzy Hash: 628637ff2bbbf97d8b8bd75415c674c389bc25174618efac7f4ba2b66115b2f7
Instruction Fuzzy Hash: FD1143B9D0460AAFDB51CF98C8849EEBBF9FB08310F505056E915E2210D735AA54DF50

Function 00902DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00902DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00902DD6
GetCurrentThreadId.KERNEL32 ref: 00902DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00902DE4

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 26970910dd4b66e7c48fef952df71823fa1aeded70824ca44c0f349edfa02550
Instruction ID: 0e57d3950f306960e5e50f2d27ef6328ffadcd224a8212486e9fc908c4859936
Opcode Fuzzy Hash: 26970910dd4b66e7c48fef952df71823fa1aeded70824ca44c0f349edfa02550
Instruction Fuzzy Hash: 98E092B1119B24BBDB201BB29C0EFEB3E6CEF42BA5F000015F105E10C09AA4CC40EBB0

Function 00938863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008B9693
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96A2
Part of subcall function 008B9639: BeginPath.GDI32(?), ref: 008B96B9
Part of subcall function 008B9639: SelectObject.GDI32(?,00000000), ref: 008B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00938887
LineTo.GDI32(?,?,?), ref: 00938894
EndPath.GDI32(?), ref: 009388A4
StrokePath.GDI32(?), ref: 009388B2

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3a72b3eb3150806a66a3a2649eabce9f88266d674878f1cd504835e3a0083e13
Instruction ID: ba58d64036fb9ded1404524c19a286c24ad7a67817312b3eea709f9979491a07
Opcode Fuzzy Hash: 3a72b3eb3150806a66a3a2649eabce9f88266d674878f1cd504835e3a0083e13
Instruction Fuzzy Hash: 15F03A36059A58FBDB125F98AC09FCA3B69AF06310F048000FB12750E2C7755551EFA5

Function 008B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008B98CC
SetTextColor.GDI32(?,?), ref: 008B98D6
SetBkMode.GDI32(?,00000001), ref: 008B98E9
GetStockObject.GDI32(00000005), ref: 008B98F1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0a257fbeb738324487c04047a366ddcf903866bf388eadc0b747d51a9907e990
Instruction ID: e0a05e632155c53d31e7cf927a45c6b1d0f4646b7f24ba44e8f136c3590b5804
Opcode Fuzzy Hash: 0a257fbeb738324487c04047a366ddcf903866bf388eadc0b747d51a9907e990
Instruction Fuzzy Hash: 0AE0657125C644AAEB215B74AC09BE83F10FB11335F048219F7F5A40E1C3714640AF10

Function 0090162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00901634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009011D9), ref: 0090163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009011D9), ref: 00901648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009011D9), ref: 0090164F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5101f121087f3586a8df58ba3d9bb06ee3f4065d67850ac05fb284754dacea7a
Instruction ID: 6b16eedb30e3fdd3c9a26028d7e06ccbc5de24270477d9c7dee27a3048e9fcd9
Opcode Fuzzy Hash: 5101f121087f3586a8df58ba3d9bb06ee3f4065d67850ac05fb284754dacea7a
Instruction Fuzzy Hash: 2DE08CB2616211EBDB201FA0AE0DB873B7CAF44792F148808F245E9080E7348444DF60

Function 008FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008FD858
GetDC.USER32(00000000), ref: 008FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008FD882
ReleaseDC.USER32(?), ref: 008FD8A3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c7f674f7d920f50440bad140d8b92d462d015fd7473a5c3849a0a9d17d7df94b
Instruction ID: c4776e625d0abbfb80b4742536761044f75ca752235ba73b966d78bffa521b33
Opcode Fuzzy Hash: c7f674f7d920f50440bad140d8b92d462d015fd7473a5c3849a0a9d17d7df94b
Instruction Fuzzy Hash: E6E01AB1814A09EFCF41AFA0D80D66DBBB2FB08314F108419F946F7260CB389901AF40

Function 008FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008FD86C
GetDC.USER32(00000000), ref: 008FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008FD882
ReleaseDC.USER32(?), ref: 008FD8A3

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e95fe4faa5c8bbc87fd7e7e6e466b74c6b13f5e8d1b86834883bc45a13db3961
Instruction ID: 078104afb3e4e1f5e590e0643fa2d63719a90e5e17bc3341dd1018b797d0aff8
Opcode Fuzzy Hash: e95fe4faa5c8bbc87fd7e7e6e466b74c6b13f5e8d1b86834883bc45a13db3961
Instruction Fuzzy Hash: E9E01AB1814A05EFCF40AFA0D80D66DBBB1FB08314F108008F846F7260CB385901AF40

Function 00914D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008A7620: _wcslen.LIBCMT ref: 008A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00914ED4

Strings

LPT, xrefs: 00914DFB
*, xrefs: 00914E10

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c3963e85d0cc81765c082739dc98ee13e3ad89bef0a144f5318637bda65f3fbf
Instruction ID: b272a6b41b82a6d0dbde330f9bb70f19709c0da9b97ad02b2c6dc9c17333cecd
Opcode Fuzzy Hash: c3963e85d0cc81765c082739dc98ee13e3ad89bef0a144f5318637bda65f3fbf
Instruction Fuzzy Hash: 1B915F75A002089FDB14DF58C484EAABBF5FF49304F198099E40A9F7A2D735ED86CB91

Function 008CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008CE30D

Strings

pow, xrefs: 008CE2E5, 008CE302

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e251327da6f83d6c452b7e8e5cbed98b118830491c51bc2f337d5c6792c4ca7e
Instruction ID: 40a509fba8cd9213e4abf55d22f245782b9caa99441ccea693c45f596991c0ce
Opcode Fuzzy Hash: e251327da6f83d6c452b7e8e5cbed98b118830491c51bc2f337d5c6792c4ca7e
Instruction Fuzzy Hash: EC515B61A1C20596DB157728C901B7A2BB4FB40B44F704EAEF095C23ADFB34DC859A46

Function 008BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008BE1B1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3b713f8239acf5b0ec5e05e9bbaa5f42f53f9714275492eb3a3c00f363a49d46
Instruction ID: d9fe28c4567c76b24c56d7d09e06051133b810b490f46bf119ceb01a72aec80e
Opcode Fuzzy Hash: 3b713f8239acf5b0ec5e05e9bbaa5f42f53f9714275492eb3a3c00f363a49d46
Instruction Fuzzy Hash: 0251117550424ADFEB25EF38C081AFA7BA4FF16310F244065F991DB2E0D6349D42CBA1

Function 008BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008BF2BB

Strings

@, xrefs: 008BF2AF

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d90f4c6d8b719c1c302abf5a751ea0b0799162a2dd96ab09ac42b78d26ec0a44
Instruction ID: c4b46e7de06069fc9c88f7d9b32ecc776d4c2322e4018914b8886e1a4ff00966
Opcode Fuzzy Hash: d90f4c6d8b719c1c302abf5a751ea0b0799162a2dd96ab09ac42b78d26ec0a44
Instruction Fuzzy Hash: 3E51277141C7449FE320AF15DC86BABBBF8FB85300F81885DF29981195EB709529CB67

Function 00925745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009257E0
_wcslen.LIBCMT ref: 009257EC

Strings

CALLARGARRAY, xrefs: 009257E6, 009257EB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a7b0ef9eb5d240dce40adc847c488fccb95a41c7ae9be2438ef03efa2fc5dc9d
Instruction ID: d5aa725d50d6b4e1fa7ca365c580dd8d3d0a0f4950ad1dd1baf8270d506af6c3
Opcode Fuzzy Hash: a7b0ef9eb5d240dce40adc847c488fccb95a41c7ae9be2438ef03efa2fc5dc9d
Instruction Fuzzy Hash: C1419F71E002199FCB14DFA8D8819BEBBF9FF59324F114029E505AB2A5E7749D81CB90

Function 0091D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0091D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0091D13A

Strings

|, xrefs: 0091D10B

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 76f617bec89dd20001a6abcb07dfdac06d4535f67bdf64522435beaf086410af
Instruction ID: 25b7fc70911911ce7adb75f622289336887e29e50753fe52c89c1f1582dd90c7
Opcode Fuzzy Hash: 76f617bec89dd20001a6abcb07dfdac06d4535f67bdf64522435beaf086410af
Instruction Fuzzy Hash: 4B314C71D01219ABDF15EFE4CC85AEEBFB9FF05300F100019F815A6165E735AA56CB51

Function 0093356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00933621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0093365C

Strings

static, xrefs: 009335BC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2af5b479b23726d604d041116cff2e80767a4e24480f952c0d8963b5c5abd51c
Instruction ID: b78255602c9139348874e05eac2919c6f128e8417f1e926b3d6b92508dfa3caf
Opcode Fuzzy Hash: 2af5b479b23726d604d041116cff2e80767a4e24480f952c0d8963b5c5abd51c
Instruction Fuzzy Hash: 2B319E71110604AEDB109F68DC82FFB73ADFF88724F009619F8A9D7290DA34AD91DB60

Function 00934537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0093461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00934634

Strings

', xrefs: 0093458E

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f98bbcea383669641a2062378ca14ca28ef03f869fcb20b9499f48dc55650ad3
Instruction ID: 5076625689e7088e00a265647d5e43607026b8b128e6b57c9e6fff36720673a7
Opcode Fuzzy Hash: f98bbcea383669641a2062378ca14ca28ef03f869fcb20b9499f48dc55650ad3
Instruction Fuzzy Hash: 7D312575A0030A9FDB14CFA9C981BDABBB9FF09304F11406AE904AB381D770A941CF90

Function 009331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0093327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00933287

Strings

Combobox, xrefs: 00933249

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 97bf060b60fe331f4a5aed6a0ec766babef0966d6e18031e9261337be18af037
Instruction ID: 46394975ef7a4c45f04009d1283c3a04c6674e80112bd03a60c5a6e379ccdbee
Opcode Fuzzy Hash: 97bf060b60fe331f4a5aed6a0ec766babef0966d6e18031e9261337be18af037
Instruction Fuzzy Hash: 1911B2713442087FFF219E94DC81EBB376FEB94364F108228F928A7290D6719D619B60

Function 00933710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008A604C
Part of subcall function 008A600E: GetStockObject.GDI32(00000011), ref: 008A6060
Part of subcall function 008A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008A606A

GetWindowRect.USER32(00000000,?), ref: 0093377A
GetSysColor.USER32(00000012), ref: 00933794

Strings

static, xrefs: 00933757

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: cda1ffa0c4a255187afa9af9c5bdb8d1989775ebf29c9179a9cabad4b644ec03
Instruction ID: f44105a1078fa3615a8e9e47b3596ea46066fcda9ed5f342a56914f3c0b0c0a4
Opcode Fuzzy Hash: cda1ffa0c4a255187afa9af9c5bdb8d1989775ebf29c9179a9cabad4b644ec03
Instruction Fuzzy Hash: B01129B2654609AFDF00DFA8CC46AEA7BF8FB08314F004914F956E2250E735E8619B50

Function 0091CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0091CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0091CDA6

Strings

<local>, xrefs: 0091CD66

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1ed8ad703ff236353010a6058f488740babb6b040362f12232f9562d2abaeceb
Instruction ID: 0bb294f8946951fc1f56020068640a5c1d2fb353577bf049dac693c20190dbd1
Opcode Fuzzy Hash: 1ed8ad703ff236353010a6058f488740babb6b040362f12232f9562d2abaeceb
Instruction Fuzzy Hash: 0A1106F93856397AD7344B669C44EE7BEADEF127A4F004226B109930C0D3749880D6F0

Function 00933429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009334BA

Strings

edit, xrefs: 0093348F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1c50a7c67fda0fb1853b3197bb74a760765f6f983e4fc8a40cbf20d997f29e54
Instruction ID: 2f8b3956dd451d2018cd540e0e844aa6af0af87f900d1f9090f4579917f7b021
Opcode Fuzzy Hash: 1c50a7c67fda0fb1853b3197bb74a760765f6f983e4fc8a40cbf20d997f29e54
Instruction Fuzzy Hash: 98118F71150208ABEB114F64DC48AEB376EEB45378F508724F965A31E0C775DC919F51

Function 00906C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00906CB6
_wcslen.LIBCMT ref: 00906CC2

Strings

STOP, xrefs: 00906CBC, 00906CC1

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e6e0a48301cd96f6ab054d2681abec3a3d03803c681fbf5df9449d5caf914db7
Instruction ID: 9ceebe66d2ee91fcee7795c69726a40b4b594620ebfd934621984c280d0c2028
Opcode Fuzzy Hash: e6e0a48301cd96f6ab054d2681abec3a3d03803c681fbf5df9449d5caf914db7
Instruction Fuzzy Hash: 3B0104326045368FEB209FBDDC809BF37B8FB61710B000928E992D61D0EB31D960C650

Function 00901CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00901D4C

Strings

ListBox, xrefs: 00901D16
ComboBox, xrefs: 00901CEB

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 80c20d30a0c12320ed25b06eedeb07a384ef0588f6a3eb8bb6c3ac44ffdbbd97
Instruction ID: 77897a90b8617c976dcd0a9c9303bd16be497c7744f701cf83ae73eb00b5e9c7
Opcode Fuzzy Hash: 80c20d30a0c12320ed25b06eedeb07a384ef0588f6a3eb8bb6c3ac44ffdbbd97
Instruction Fuzzy Hash: C801D871605624AFDB08EBA4CC51DFE736CFF47754B040919F862A72C1EA3459088761

Function 00901BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00901C46

Strings

ListBox, xrefs: 00901C10
ComboBox, xrefs: 00901BE5

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dd2b4ec0d035448198f55178cf2529c5caaa442d74949478ddd72b1c6f798664
Instruction ID: 5b17854c90011b4594b3bf87bb8f8d8fb4f132c1311ca8863a169a9b91746104
Opcode Fuzzy Hash: dd2b4ec0d035448198f55178cf2529c5caaa442d74949478ddd72b1c6f798664
Instruction Fuzzy Hash: 7401AC756451146FEB08E7A4C952AFF77ACDB52340F140015F886B71C1EA24DF48D672

Function 00901C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00901CC8

Strings

ListBox, xrefs: 00901C94
ComboBox, xrefs: 00901C69

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9b5ab8de436f97376688769190a67b96d99cfc925521c01b092208663c899976
Instruction ID: 76df0603c21e564ee72804b0557f3fee56619c58567a69e12d8fa8c54b2574bd
Opcode Fuzzy Hash: 9b5ab8de436f97376688769190a67b96d99cfc925521c01b092208663c899976
Instruction Fuzzy Hash: C601DB716401246BEB04E7A4CA11AFE73ACEB12380F140015F881B32C1EA24DF08D672

Function 00901D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008A9CB3: _wcslen.LIBCMT ref: 008A9CBD

Part of subcall function 00903CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00903CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00901DD3

Strings

ListBox, xrefs: 00901DA0
ComboBox, xrefs: 00901D75

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5832e3da06dbd0c7053e2b6905633b3ab584dda160087aa04041d4f887f4b3dc
Instruction ID: f7ed3b7e50462e8976d60af3e23a36bbbd0fc51836ecc4845e6f62a6435f9bc4
Opcode Fuzzy Hash: 5832e3da06dbd0c7053e2b6905633b3ab584dda160087aa04041d4f887f4b3dc
Instruction Fuzzy Hash: A4F02871B546246BEB04F7A8CC52FFF737CFB42394F040915F862A32C1DE645A088261

Function 0092747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00927493
_wcslen.LIBCMT ref: 009274B9

Strings

3, 3, 16, 1, xrefs: 00927483

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 79b47d5d5f378c346f7a6dabe6feef1e57de2485973049f68ac4ae2e47b68975
Instruction ID: c6988d3806c9ee3a66bd5c4a1ed8578cb83bbaf8721e42f54044658cfd940802
Opcode Fuzzy Hash: 79b47d5d5f378c346f7a6dabe6feef1e57de2485973049f68ac4ae2e47b68975
Instruction Fuzzy Hash: 0BE0E51260423010923122AABCC1EBF9A9EDEC5750B10282EF981D227EEAA4CDD193A1

Function 00900B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00900B23

Strings

AutoIt, xrefs: 00900B17
Error allocating memory., xrefs: 00900B1C

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a4687df27b86decf2db71ccfbfe4d9ab9149e5e5989f0382664af268b6988857
Instruction ID: 5c5c29708b5a40ebb67e1ceb8fc61881f286a34b354af3fcd16b312c2d195f10
Opcode Fuzzy Hash: a4687df27b86decf2db71ccfbfe4d9ab9149e5e5989f0382664af268b6988857
Instruction Fuzzy Hash: CDE020712447183AD21437587C03FC97BC4DF05F65F10042AFB98E55C38BE164900BEA

Function 008C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008C0D71,?,?,?,008A100A), ref: 008BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,008A100A), ref: 008C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008A100A), ref: 008C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008C0D7F

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 650152f8a5b2b9309a9fbdc7fd0b4c8ec5f46c8de5fcb847d11067176664b842
Instruction ID: e410ab48ce855bdb99cffb74994e6b2ef1e2b7131c5c85762b32413bcf0b6680
Opcode Fuzzy Hash: 650152f8a5b2b9309a9fbdc7fd0b4c8ec5f46c8de5fcb847d11067176664b842
Instruction Fuzzy Hash: 06E06DB02007518BD7309FBCD8047427BF0FB00784F004A6DE996C6651DBB4E4489F91

Function 00913017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0091302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00913044

Strings

aut, xrefs: 00913038

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 840704b63688cbe6611b419dcd9de26a36a73c3bf031082a2d206122b8b15e4a
Instruction ID: d78dbda188d22da1f27fa6e79b74d7428df5184ae23da52094efeaf441340d92
Opcode Fuzzy Hash: 840704b63688cbe6611b419dcd9de26a36a73c3bf031082a2d206122b8b15e4a
Instruction Fuzzy Hash: D2D05EB250032877DA20A7A4AC0EFCB3A6CDB04750F4002A1BA65E2095DAB0D984CFD0

Function 00932322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0093233F

Part of subcall function 0090E97B: Sleep.KERNEL32 ref: 0090E9F3

Strings

Shell_TrayWnd, xrefs: 00932325

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9ce6823a5c4cd8732cf66e00f0e32fd920a434326a883a5e1a3a53c314da2d49
Instruction ID: a9da5ddf389402b376fbd38d9f1d1f87392af50b1117115f704144078e8dfa49
Opcode Fuzzy Hash: 9ce6823a5c4cd8732cf66e00f0e32fd920a434326a883a5e1a3a53c314da2d49
Instruction Fuzzy Hash: 4CD012763A8710BBE764B770DC0FFC67A159B40B14F0049167755BA1D0C9F0A841DF54

Function 00932356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093236C
PostMessageW.USER32(00000000), ref: 00932373

Part of subcall function 0090E97B: Sleep.KERNEL32 ref: 0090E9F3

Strings

Shell_TrayWnd, xrefs: 00932365

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ee968174cd8f586d6d9cefb3d076c19fa9bee445d3ca1f22653a8b7b714cee7d
Instruction ID: c056e351f977dd5eaa8e8508f433260d8b619884cda8a853d474b6dde63a3c39
Opcode Fuzzy Hash: ee968174cd8f586d6d9cefb3d076c19fa9bee445d3ca1f22653a8b7b714cee7d
Instruction Fuzzy Hash: E4D0C9723997107AE664A7709C0FFC676159B45B14F0049167655BA1D0C9A0A8419B58

Function 008DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008DBE93
GetLastError.KERNEL32 ref: 008DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008DBEFC

Memory Dump Source

Source File: 00000000.00000002.1766261269.00000000008A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000000.00000002.1766225544.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.000000000093C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766356808.0000000000962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766444002.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1766481534.0000000000974000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f2185053aedcfc411159e5aa9712b49662e3f5e74c2d473dc04b8d6b9622b913
Instruction ID: d9f7416d26fa1b128dba90d2ff1547a85647aa86adbe288b9ab265971b79e966
Opcode Fuzzy Hash: f2185053aedcfc411159e5aa9712b49662e3f5e74c2d473dc04b8d6b9622b913
Instruction Fuzzy Hash: D841C335604246EFDB218FA9CC44AAA7BA5FF41320F16426AF959D73A1DF308D00DB61

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive

Source: firefox.exe, 0000000D.00000003.1886993065.0000021AD1DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1794288953.0000021AD7772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1911648432.0000021AE1D24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927161810.0000021AE1D26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1873852778.0000021ADF682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876400034.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881589534.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1876400034.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793382028.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1873852778.0000021ADF682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881589534.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1911648432.0000021AE1D24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927161810.0000021AE1D26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1873852778.0000021ADF682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936360112.0000021ADF6D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954753598.0000021ADF6DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1873852778.0000021ADF682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936360112.0000021ADF6D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954753598.0000021ADF6DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1873852778.0000021ADF682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876400034.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881589534.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1873852778.0000021ADF682000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876400034.0000021ADE1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881589534.0000021AD7DAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1957851776.0000021AD8054000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3561620594.0000028EB0F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561580269.0000020938E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1911648432.0000021AE1D24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911648432.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927161810.0000021AE1D26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1911648432.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926897722.0000021AE1D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50055 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50053 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb0b38c2-3bcf-4223-a6aa-eb03c792117c.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cb0b38c2-3bcf-4223-a6aa-eb03c792117c.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HF3Z20WF5YJVRHUZUD5O.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQDKMV34L7B6IY88EMNA.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre