Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574195
MD5:	5ecf37910c2ee428328d45ac7bccad85
SHA1:	495c53d6d0db198a1995b24f5c71e3931f07db05
SHA256:	7ff4fa8172bfcf7b0cdfd4b78a04635df24778e2b11a7b867507b6924b52922b
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5ECF37910C2EE428328D45AC7BCCAD85)

taskkill.exe (PID: 6256 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6524 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6572 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1816 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5344 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5560 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1892 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6156 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6980 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd48ffe2-a6ab-49c9-8773-ea88117d718a} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1784ec6f710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7564 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4408 -parentBuildID 20230927232528 -prefsHandle 4400 -prefMapHandle 4396 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f66020-2320-4999-b330-4a90c682fd5e} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1786104ad10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8008 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e265c5d-bf32-482b-a1cc-80247191915d} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 17860075f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6412	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0098EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0098EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0098ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0098EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0097AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_009A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2043206842.00000000009D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7a7fdd55-e
Source: file.exe, 00000000.00000000.2043206842.00000000009D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c7840e90-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_13fa37d9-7
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_abc13404-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000011864B08677 NtQuerySystemInformation,		17_2_0000011864B08677
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000011864B26372 NtQuerySystemInformation,		17_2_0000011864B26372

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0097D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00971201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00971201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0097E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00982046	0_2_00982046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00918060	0_2_00918060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00978298	0_2_00978298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094E4FF	0_2_0094E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094676B	0_2_0094676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A4873	0_2_009A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093CAA0	0_2_0093CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091CAF0	0_2_0091CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092CC39	0_2_0092CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00946DD9	0_2_00946DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009191C0	0_2_009191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092B119	0_2_0092B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931394	0_2_00931394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931706	0_2_00931706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093781B	0_2_0093781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009319B0	0_2_009319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00917920	0_2_00917920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092997D	0_2_0092997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00937A4A	0_2_00937A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00937CA7	0_2_00937CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931C77	0_2_00931C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00949EEE	0_2_00949EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099BE44	0_2_0099BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931F32	0_2_00931F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000011864B08677	17_2_0000011864B08677
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000011864B26372	17_2_0000011864B26372
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000011864B263B2	17_2_0000011864B263B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000011864B26A9C	17_2_0000011864B26A9C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00919CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0092F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00930A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/40@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009837B5 GetLastError,FormatMessageW,

0_2_009837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009710BF AdjustTokenPrivileges,CloseHandle,		0_2_009710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0097D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0098648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2270329983.000001786AAEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2209796953.000001786AAEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2300407825.000001785F323000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE moz_places SET foreign_count = foreign_count - 1 WHERE id = OLD.place_id;
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2260353542.000001786A7B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd48ffe2-a6ab-49c9-8773-ea88117d718a} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1784ec6f710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4408 -parentBuildID 20230927232528 -prefsHandle 4400 -prefMapHandle 4396 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f66020-2320-4999-b330-4a90c682fd5e} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1786104ad10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e265c5d-bf32-482b-a1cc-80247191915d} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 17860075f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd48ffe2-a6ab-49c9-8773-ea88117d718a} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1784ec6f710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4408 -parentBuildID 20230927232528 -prefsHandle 4400 -prefMapHandle 4396 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f66020-2320-4999-b330-4a90c682fd5e} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1786104ad10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e265c5d-bf32-482b-a1cc-80247191915d} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 17860075f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2163217642.000001786AC01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2201061862.000001785EECA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2200077741.000001785EED0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2200456383.000001786AC01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.2170960969.000001785EE92000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170711260.000001785EE92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2201061862.000001785EECA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2200077741.000001785EED0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2163217642.000001786AC01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2200456383.000001786AC01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdbGCTL source: firefox.exe, 0000000E.00000003.2170960969.000001785EE92000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2170711260.000001785EE92000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00930A76 push ecx; ret

0_2_00930A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0092F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_009A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97426

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000011864B08677 rdtsc

17_2_0000011864B08677

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\file.exe TID: 2836	Thread sleep count: 111 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2836	Thread sleep count: 149 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0097DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094C2A2 FindFirstFileExW,	0_2_0094C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009868EE FindFirstFileW,FindClose,	0_2_009868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0098698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0097D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0097D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00989642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00989642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0098979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00989B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00989B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00985C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00985C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Source: file.exe, 00000000.00000003.2134973221.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134379477.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134716686.00000000015C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf 3
Source: firefox.exe, 00000012.00000002.3904887347.00000153F498A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 4
Source: firefox.exe, 00000010.00000002.3904956999.000002091F14A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3909313050.00000118649D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3904377738.000001186413A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909562662.00000153F4CC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3910060082.000002091F61C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3910673418.000002091FA40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: firefox.exe, 00000010.00000002.3910673418.000002091FA40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3909313050.00000118649D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000011864B08677 rdtsc

17_2_0000011864B08677

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098EAA2 BlockInput,

0_2_0098EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00942622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00942622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00934CE8 mov eax, dword ptr fs:[00000030h]

0_2_00934CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00970B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00970B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00942622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00942622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0093083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009309D5 SetUnhandledExceptionFilter,	0_2_009309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00930C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00930C21

Source: C:\Users\user\Desktop\file.exe

0_2_00971201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00952BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00952BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097B226 SendInput,keybd_event,

0_2_0097B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00970B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00971663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00971663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2171652757.000001786AC01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00930698 cpuid

0_2_00930698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0096D21C GetLocalTime,

0_2_0096D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0096D27A GetUserNameW,

0_2_0096D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0094B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0094B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6412, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6412, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00991204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00991204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00991806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00991806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	22%	Virustotal		Browse
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.174	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://youtube.comZ	firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000E.00000003.2283972609.00000178603A7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.2211578633.0000017866A76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2283972609.00000178603A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319222655.0000017866A76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288166556.0000017860FD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281371914.0000017860FD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2135725853.0000017866A76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.00000118644C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4BC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2269539913.000001786AB30000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2301572224.0000017860335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284610985.0000017860335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289360164.0000017860335000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2231769999.0000017866C28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2133697680.0000017866C28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2131481166.0000017866C2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146170208.0000017866C28000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3906161183.000002091F4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.00000118644F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909762436.00000153F4E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3906161183.000002091F472000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.0000011864486000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4B8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2303102366.000001785EF45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2135725853.0000017866A76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316375557.000001785F34D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2304085435.000001785BB79000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2302116199.000001785FCCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298173293.000001785FCCD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2110498131.000001785E681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109332431.000001785E61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109683472.000001785E660000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109515353.000001785E63E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109188145.000001785F000000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2298428240.000001785F7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298428240.000001785F7D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2260831718.000001786A496000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2211195637.0000017866B45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2287231663.0000017866B61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262930273.0000017866B5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211195637.0000017866B45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2110498131.000001785E681000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301572224.0000017860335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109332431.000001785E61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2155546542.0000017861660000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264451860.00000178616E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284610985.0000017860335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2156022000.0000017861680000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223703872.00000178616E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109683472.000001785E660000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2289360164.0000017860335000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109515353.000001785E63E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109188145.000001785F000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223165595.00000178616A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2304085435.000001785BB79000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2136693122.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319457618.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310010474.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294599281.000001786249F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2109332431.000001785E61D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109683472.000001785E660000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109515353.000001785E63E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2109188145.000001785F000000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2292031634.00000178666E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316940906.000001785E4BA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2314413995.000001785FFCF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2140542793.000001785FFD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273673863.0000105A72403000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2303796699.000001785BBD9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2262370723.0000017867234000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2315447647.000001785F3F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299149187.000001785F3F7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2140542793.000001785FFD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2318037548.000001785E150000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273673863.0000105A72403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.000001186440A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4B0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2158477789.000001785FD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158800480.000001785FD5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2159104951.000001785FD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2159175578.000001785FD60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2320597124.00000178608BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281571036.00000178608BC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2303102366.000001785EF45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.2318839413.0000017866D51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.00000118644C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4BC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2309481941.00000178624D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294599281.00000178624D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2158477789.000001785FD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2159104951.000001785FD4F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2221595197.000001786146F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2306621105.000001786A1A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273673863.0000105A72403000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2285520077.0000017869DFC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2296251395.00000178600DA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3906161183.000002091F4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.00000118644F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909762436.00000153F4E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3906161183.000002091F4CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.00000118644F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909762436.00000153F4E03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2262370723.0000017867227000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2135725853.0000017866A76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.0000011864412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4B13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2303102366.000001785EF45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3909200848.00000153F4CB0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/Z	firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.2268633730.00000178615CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2211195637.0000017866B45000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2281571036.00000178608C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320597124.00000178608C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2303796699.000001785BBC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2158205793.0000017866E71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl3.digi	firefox.exe, 0000000E.00000003.2163321621.000001785EE79000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2163870537.000001785EE81000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2164131057.000001785EE82000.00000004.00000020.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2256836621.000001785FED0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2268490444.0000017862218000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2318950588.0000017866BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275666865.000001786147B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244915104.000001785F0E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221595197.0000017861469000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2156519571.000001785FDDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276134304.00000178614C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293295517.000001785FDDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243441542.0000017866C08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2236066825.00000178614C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285308480.00000178602E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280962950.00000178610C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245697880.000001785E55F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221595197.0000017861413000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287093597.0000017866D15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219811408.00000178602E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256691162.00000178614F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221595197.000001786145F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2158091248.000001785FED9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256836621.000001785FED9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2136693122.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319457618.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310010474.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294599281.000001786249F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2136693122.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319457618.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2310010474.000001786249F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294599281.000001786249F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2210924575.0000017866BE6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2315447647.000001785F3F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211195637.0000017866B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299149187.000001785F3F7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2315447647.000001785F3F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211195637.0000017866B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299149187.000001785F3F7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2281571036.00000178608C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320597124.00000178608C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2231769999.0000017866C28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2133697680.0000017866C28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2146170208.0000017866C28000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2262930273.0000017866B51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211195637.0000017866B45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2287231663.0000017866B51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2281571036.000001786088A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/rZ	firefox.exe, 0000000E.00000003.2273673863.0000105A72403000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2287231663.0000017866B61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262930273.0000017866B5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2211195637.0000017866B45000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2208396589.000001786B272000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3909447767.000002091F530000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3908930857.0000011864960000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909042775.00000153F4C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2303796699.000001785BBC2000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574195
Start date and time:	2024-12-13 03:41:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/40@70/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 48 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.85.93.176, 44.228.225.150, 54.213.181.160, 142.250.181.106, 172.217.17.46, 88.221.134.209, 88.221.134.155, 184.30.17.174, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	http://sourceforge.net/projects/nircmd/files/nircmd-x64.zip/download	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	b3astmode.arm5.elf	Get hash	malicious	Mirai	Browse	34.66.227.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.51.229.161
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.106.195.4
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	b3astmode.sh4.elf	Get hash	malicious	Mirai	Browse	51.128.98.129
	b3astmode.mpsl.elf	Get hash	malicious	Mirai	Browse	48.72.60.226
	b3astmode.arm5.elf	Get hash	malicious	Mirai	Browse	51.249.27.193

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_299dc3a2-3c2e-47db-b2c5-df0f0b7fd3e6.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.172128913293677
Encrypted:	false
SSDEEP:	192:GKMiTvYcbhbVbTbfbRbObtbyEl7nMrxJA6wnSrDtTkd/SP:GPNcNhnzFSJsrsjnSrDhkd/O
MD5:	FCC7C04B840FB91E6B06784F5970C776
SHA1:	39282643C6DB796765941239A2DD3FEC4E298710
SHA-256:	543771D9464974B475078F14E3C0AE0A55A813F55C7AE3754759F0EB20576302
SHA-512:	C4A9FC3545EBAFD1704A5FFAFBD4CEC7B0AB5842AABA4413B89475C837788D09B5E142550973438F59B8372BA97096C6032794EF917802E852B9530ABC6F3F0F
Malicious:	false
Preview:	{"type":"uninstall","id":"299dc3a2-3c2e-47db-b2c5-df0f0b7fd3e6","creationDate":"2024-12-13T04:14:27.787Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_299dc3a2-3c2e-47db-b2c5-df0f0b7fd3e6.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.172128913293677
Encrypted:	false
SSDEEP:	192:GKMiTvYcbhbVbTbfbRbObtbyEl7nMrxJA6wnSrDtTkd/SP:GPNcNhnzFSJsrsjnSrDhkd/O
MD5:	FCC7C04B840FB91E6B06784F5970C776
SHA1:	39282643C6DB796765941239A2DD3FEC4E298710
SHA-256:	543771D9464974B475078F14E3C0AE0A55A813F55C7AE3754759F0EB20576302
SHA-512:	C4A9FC3545EBAFD1704A5FFAFBD4CEC7B0AB5842AABA4413B89475C837788D09B5E142550973438F59B8372BA97096C6032794EF917802E852B9530ABC6F3F0F
Malicious:	false
Preview:	{"type":"uninstall","id":"299dc3a2-3c2e-47db-b2c5-df0f0b7fd3e6","creationDate":"2024-12-13T04:14:27.787Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3092950529043326
Encrypted:	false
SSDEEP:	24:5df+yAnljTIUx2dWoM15rLN8zmkdf+yAnljswM+bpoqdWoM15rLFX1Rgmadf+yA/:5dKaUgdw8zLdKq6BdwsBdKKadwu1
MD5:	DB31B6A140562F5445968934BEE9E51E
SHA1:	CD7B4AEE14E8056946C11E6FD945F423DA01EDD7
SHA-256:	CBC00D60EB8D2AFAEE6882408FC7F3E62F6F93984A0ED3903EB3745C3F828BA6
SHA-512:	FD7BC1E817FD8B102A5CF3EBD427632E75CF735F393C5B8CB5DBFB6B2F17E6F424427445B61377498586AD2F7D166FB70E6827EE0361700AF0FEA0FE04C98343
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.YT.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YT.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.YT...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............3.s.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3092950529043326
Encrypted:	false
SSDEEP:	24:5df+yAnljTIUx2dWoM15rLN8zmkdf+yAnljswM+bpoqdWoM15rLFX1Rgmadf+yA/:5dKaUgdw8zLdKq6BdwsBdKKadwu1
MD5:	DB31B6A140562F5445968934BEE9E51E
SHA1:	CD7B4AEE14E8056946C11E6FD945F423DA01EDD7
SHA-256:	CBC00D60EB8D2AFAEE6882408FC7F3E62F6F93984A0ED3903EB3745C3F828BA6
SHA-512:	FD7BC1E817FD8B102A5CF3EBD427632E75CF735F393C5B8CB5DBFB6B2F17E6F424427445B61377498586AD2F7D166FB70E6827EE0361700AF0FEA0FE04C98343
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.YT.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YT.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.YT...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............3.s.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BFTGXSPFX6RGPVI6SEAX.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3092950529043326
Encrypted:	false
SSDEEP:	24:5df+yAnljTIUx2dWoM15rLN8zmkdf+yAnljswM+bpoqdWoM15rLFX1Rgmadf+yA/:5dKaUgdw8zLdKq6BdwsBdKKadwu1
MD5:	DB31B6A140562F5445968934BEE9E51E
SHA1:	CD7B4AEE14E8056946C11E6FD945F423DA01EDD7
SHA-256:	CBC00D60EB8D2AFAEE6882408FC7F3E62F6F93984A0ED3903EB3745C3F828BA6
SHA-512:	FD7BC1E817FD8B102A5CF3EBD427632E75CF735F393C5B8CB5DBFB6B2F17E6F424427445B61377498586AD2F7D166FB70E6827EE0361700AF0FEA0FE04C98343
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.YT.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YT.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.YT...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............3.s.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IKRRYCNOU9MRLOGESE62.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3092950529043326
Encrypted:	false
SSDEEP:	24:5df+yAnljTIUx2dWoM15rLN8zmkdf+yAnljswM+bpoqdWoM15rLFX1Rgmadf+yA/:5dKaUgdw8zLdKq6BdwsBdKKadwu1
MD5:	DB31B6A140562F5445968934BEE9E51E
SHA1:	CD7B4AEE14E8056946C11E6FD945F423DA01EDD7
SHA-256:	CBC00D60EB8D2AFAEE6882408FC7F3E62F6F93984A0ED3903EB3745C3F828BA6
SHA-512:	FD7BC1E817FD8B102A5CF3EBD427632E75CF735F393C5B8CB5DBFB6B2F17E6F424427445B61377498586AD2F7D166FB70E6827EE0361700AF0FEA0FE04C98343
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.YT.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.YT.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.YT...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............3.s.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.919114411034934
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNwi99rxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LcH8P
MD5:	457E9D36A3494183C03B565EEA8671C4
SHA1:	A64786F0FC74D2E6D881C7AE3CB76BA9583CB123
SHA-256:	F9532966EE738678C2A39C0FC588D42A6A351875F00A4DB345FF2F374C8E5007
SHA-512:	C414F1E219B57063B5BA8B31DCA2D1C8C5FFA4E8FF50082B3201A11C0BE185453A91E87B5BE516D4A31B139DD2C5E987C2213B42090791927108B578DCABAF25
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.919114411034934
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNwi99rxE:8S+OVPUFRbOdwNIOdYpjvY1Q6LcH8P
MD5:	457E9D36A3494183C03B565EEA8671C4
SHA1:	A64786F0FC74D2E6D881C7AE3CB76BA9583CB123
SHA-256:	F9532966EE738678C2A39C0FC588D42A6A351875F00A4DB345FF2F374C8E5007
SHA-512:	C414F1E219B57063B5BA8B31DCA2D1C8C5FFA4E8FF50082B3201A11C0BE185453A91E87B5BE516D4A31B139DD2C5E987C2213B42090791927108B578DCABAF25
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07332549098150803
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki0:DLhesh7Owd4+ji0
MD5:	63A000804B8C70A5CF73DDF9880C3EFB
SHA1:	11DB2950BFE64AD39880039470C2D1467E9A9AFE
SHA-256:	A3C72FFED48687F78C85850BF1EA47F6FF47CBA9E9FEC42FA60B4A664BAACBA9
SHA-512:	4807D8A8E4BCFA258EABB9DF7BAECC9585287E244F07FAF8E4A980E310A937EAA73AF5DBFA00BC362FA6EA37B088826B882A066959C504063867CF70D8F876B9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039629310946426154
Encrypted:	false
SSDEEP:	3:GHlhVDANRfmdoyW/HlhVDANRfmdoy1il8a9//Ylll4llqlyllel4lt:G7VEDfmds/7VEDfmdSL9XIwlio
MD5:	01720B627049D1160F274FE6B6096452
SHA1:	B0A30613A3D50AC2AC1448859B639192EA99A977
SHA-256:	CB0D8BCA7FE84B5637AFD15126EFA7A895BC060353F8295EF04C8A56455179F1
SHA-512:	C09899343AA017C24360C285800CAE4126C79E4DC8AE2B82E4E37D5A1723944B9A80C6512E6C330A6B6A78272110E7BF759262CAAF465C24929A9050D884F585
Malicious:	false
Preview:	..-.......................,..3.n.......D.`R......-.......................,..3.n.......D.`R............................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13394850708790879
Encrypted:	false
SSDEEP:	24:KffkksLxsZ+b2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD2Knw1:0MFQK2VJCXs4qLWeJa1VyKwyZk
MD5:	4DD863A1F30B8C29BE07A14FC5E07401
SHA1:	6A16FD18B5FDEAE905B6F06AC6F4BE09A0D5861B
SHA-256:	103E3D8C9F50137E48670A524084A2BE4939EECACAD462F48A3F9A806252D03A
SHA-512:	69EECAC16CD516CDDE8FA96F390B9A496B16FB3BF9E67C961FE9CB314C09B316EE6467E9D1F0867092A3C6F7828EC716D9286F18CE05D025F31E04CB0846502C
Malicious:	false
Preview:	7....-.................D.....sw...............D.nG4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.475617458560882
Encrypted:	false
SSDEEP:	192:inPOeRnLYbBp6YJ0aX+E6SEXKMZNMK5RHWNBw8dGSl:gDeZJUnhzTHEwt0
MD5:	917AB78318F185320831733B9B7A2190
SHA1:	E41CF9E0F923D7608CE6DDE4C724A6FA2045149D
SHA-256:	F4975FCC7C7B344E2CCE35335A9BA0ACCBA0A894D93EA9CBB7BE5519615BC5A3
SHA-512:	996128CC2693C505CE60F0FF0689C42E25109B57AC339FE337E7003853E2CCE912408580C68C080B65FE831500220258FA7C84C64B9EB499E1E9F3BCEA173407
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734063237);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734063237);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734063237);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173406

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.475617458560882
Encrypted:	false
SSDEEP:	192:inPOeRnLYbBp6YJ0aX+E6SEXKMZNMK5RHWNBw8dGSl:gDeZJUnhzTHEwt0
MD5:	917AB78318F185320831733B9B7A2190
SHA1:	E41CF9E0F923D7608CE6DDE4C724A6FA2045149D
SHA-256:	F4975FCC7C7B344E2CCE35335A9BA0ACCBA0A894D93EA9CBB7BE5519615BC5A3
SHA-512:	996128CC2693C505CE60F0FF0689C42E25109B57AC339FE337E7003853E2CCE912408580C68C080B65FE831500220258FA7C84C64B9EB499E1E9F3BCEA173407
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734063237);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734063237);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734063237);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173406

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\c1446d0f-e35b-4eea-81fb-d9725acf336f (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.955865711183904
Encrypted:	false
SSDEEP:	12:YZFgrNowgj++DE5iIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YuCwg5EwSlCOlZGV1AQIWZcy6ZXvx
MD5:	9F14B8E534DA0E3CF46CECC8A1201BF8
SHA1:	F216483A81D313BB0B1D2935313A93EF62D7CBFB
SHA-256:	0071BCD46F6FF0AB7C40DFD32980C588C66DE318C65296D1DD1D2D088FEB5DF5
SHA-512:	27CEEE2ECD6583734BA3DB83813DF6D8F58ADC6F33B09AB0C2E9F08EB4C4B2301A40C5BA918BD04495F7BE3EF615A5C0122F8FA9D5833A0F2BC8675A99E6F74B
Malicious:	false
Preview:	{"type":"health","id":"c1446d0f-e35b-4eea-81fb-d9725acf336f","creationDate":"2024-12-13T04:14:29.104Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\c1446d0f-e35b-4eea-81fb-d9725acf336f.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.955865711183904
Encrypted:	false
SSDEEP:	12:YZFgrNowgj++DE5iIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YuCwg5EwSlCOlZGV1AQIWZcy6ZXvx
MD5:	9F14B8E534DA0E3CF46CECC8A1201BF8
SHA1:	F216483A81D313BB0B1D2935313A93EF62D7CBFB
SHA-256:	0071BCD46F6FF0AB7C40DFD32980C588C66DE318C65296D1DD1D2D088FEB5DF5
SHA-512:	27CEEE2ECD6583734BA3DB83813DF6D8F58ADC6F33B09AB0C2E9F08EB4C4B2301A40C5BA918BD04495F7BE3EF615A5C0122F8FA9D5833A0F2BC8675A99E6F74B
Malicious:	false
Preview:	{"type":"health","id":"c1446d0f-e35b-4eea-81fb-d9725acf336f","creationDate":"2024-12-13T04:14:29.104Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.348195723656348
Encrypted:	false
SSDEEP:	48:GUpOx70bnRcoWxY3erjxgRp4JwcnO6BtT:AERFVVRp4mcOe
MD5:	46C813507AE22B7DE2122D84D52A5C81
SHA1:	EFDB36D73CE378C1328CB1404ECE8D9FF7B313D2
SHA-256:	0A9F74E190A511E89DAF252C705D34E3616B6049A91D27189A78F3E668DC3F2C
SHA-512:	9137B92DE2AAE2D8F11540319B791B69FF6A61B323D3487EFCA084683F7296A384403A3BEC161241B3CF8910E2AB4331F92C76A7C9374FDDF30DB5E24E4C7450
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{75f353ad-3a95-40bf-a8bf-4a068969d369}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734063227985,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9..98952893-68f....5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P06592...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...11422,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	6.348195723656348
Encrypted:	false
SSDEEP:	48:GUpOx70bnRcoWxY3erjxgRp4JwcnO6BtT:AERFVVRp4mcOe
MD5:	46C813507AE22B7DE2122D84D52A5C81
SHA1:	EFDB36D73CE378C1328CB1404ECE8D9FF7B313D2
SHA-256:	0A9F74E190A511E89DAF252C705D34E3616B6049A91D27189A78F3E668DC3F2C
SHA-512:	9137B92DE2AAE2D8F11540319B791B69FF6A61B323D3487EFCA084683F7296A384403A3BEC161241B3CF8910E2AB4331F92C76A7C9374FDDF30DB5E24E4C7450
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{75f353ad-3a95-40bf-a8bf-4a068969d369}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734063227985,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9..98952893-68f....5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P06592...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...11422,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029891612411796
Encrypted:	false
SSDEEP:	96:ycdSMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:3jTEr5NX0z3DhRe
MD5:	23F511F06FDEF0F103BD5C340083AD61
SHA1:	0E0E69A52C01D32770C59D76535FA56DEEBCE4F6
SHA-256:	F0AF1D27A5A4333344AED90980FD230C2C3E039FC93DF2D9D90CDA4CE43323F9
SHA-512:	BBE5D267DD58743361934B82D09180AE01F45A52AF94D908B1FFF8965C6528E53F5AD07E95E702AFB672B51333E11838BE989CDCC9C02374BF75B0F2E61C87FD
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T04:13:36.548Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029891612411796
Encrypted:	false
SSDEEP:	96:ycdSMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:3jTEr5NX0z3DhRe
MD5:	23F511F06FDEF0F103BD5C340083AD61
SHA1:	0E0E69A52C01D32770C59D76535FA56DEEBCE4F6
SHA-256:	F0AF1D27A5A4333344AED90980FD230C2C3E039FC93DF2D9D90CDA4CE43323F9
SHA-512:	BBE5D267DD58743361934B82D09180AE01F45A52AF94D908B1FFF8965C6528E53F5AD07E95E702AFB672B51333E11838BE989CDCC9C02374BF75B0F2E61C87FD
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T04:13:36.548Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.700090852724104
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	969'216 bytes
MD5:	5ecf37910c2ee428328d45ac7bccad85
SHA1:	495c53d6d0db198a1995b24f5c71e3931f07db05
SHA256:	7ff4fa8172bfcf7b0cdfd4b78a04635df24778e2b11a7b867507b6924b52922b
SHA512:	512245ab28e456dc6761bd5fe506c0ffd542e0146201be94d9b35593e77957636c4a34d40ddf47882c3c04fdfa275dbcf1d0146e89a0c80d9f6105cfe652dd35
SSDEEP:	24576:jqDEvCTbMWu7rQYlBQcBiT6rprG8aE2q85:jTvC/MTQYxsWR7aE2q
TLSH:	A7259E027381C062FFAB92734F5AF6515BBC6A260123E61F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675B98AE [Fri Dec 13 02:15:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FF538E21893h
jmp 00007FF538E2119Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF538E2137Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF538E2134Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FF538E23F3Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FF538E23F88h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FF538E23F71h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x15ed4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x15ed4	0x16000	aab6c0afac40a0b5d5d4f920958d3390	False	0.6975985440340909	data	7.157360809974208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xd056	data			1.0004874939063262
RT_GROUP_ICON	0xe9954	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe99cc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe99e0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe99f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9a08	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe9ae4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 03:42:43.364319086 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:42:43.364367008 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 03:42:43.364753962 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:42:43.369754076 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:42:43.369774103 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 03:42:44.205085993 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:44.205127001 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:44.205502033 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:44.206886053 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:44.206902981 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:44.211891890 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:44.211918116 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:44.217022896 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:44.218319893 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:44.218333006 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:44.673648119 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 03:42:44.673758030 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:42:45.151350021 CET	49714	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:45.151469946 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:45.151568890 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:45.151583910 CET	49716	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:45.151680946 CET	443	49716	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:45.155050993 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:45.155107021 CET	49716	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:45.155162096 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:42:45.155188084 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 03:42:45.155236006 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:42:45.155539036 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 03:42:45.156553984 CET	49716	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:45.156595945 CET	443	49716	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:45.157778978 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:45.157814980 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:45.158724070 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:42:45.271886110 CET	80	49714	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:45.272310972 CET	49714	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:45.272403955 CET	49714	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:45.313648939 CET	49717	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:45.313676119 CET	443	49717	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:45.313877106 CET	49717	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:45.314014912 CET	49717	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:45.314026117 CET	443	49717	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:45.392803907 CET	80	49714	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:45.556652069 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:45.556701899 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:45.567334890 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:45.570373058 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:45.570389986 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:45.921833992 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.921909094 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.922916889 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.922982931 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.924973011 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.925108910 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.925970078 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.926059961 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.927087069 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.927110910 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.927282095 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.927356958 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.928046942 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.929358959 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.929380894 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.929472923 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.929743052 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.929847956 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.929858923 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.929965019 CET	443	49719	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:45.931117058 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.932447910 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:45.932485104 CET	443	49719	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:46.360814095 CET	80	49714	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:46.390703917 CET	443	49716	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.390805960 CET	49716	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.391096115 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.391401052 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.396353006 CET	49716	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.396382093 CET	443	49716	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.396445036 CET	49716	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.396544933 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.396573067 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.396646023 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.396703005 CET	443	49716	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.396867990 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.397017002 CET	49720	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.397068977 CET	443	49720	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.397084951 CET	49716	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.397099972 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.397470951 CET	49720	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.398835897 CET	49720	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.398865938 CET	443	49720	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.422633886 CET	49714	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.513277054 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.513339043 CET	49714	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.513377905 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.516571045 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.517965078 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:46.518001080 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:46.539891958 CET	443	49717	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:46.539969921 CET	49717	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:46.542511940 CET	49717	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:46.542530060 CET	443	49717	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:46.543009996 CET	443	49717	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:46.545283079 CET	49717	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:46.545367002 CET	49717	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:46.633269072 CET	80	49714	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:46.656913996 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.776763916 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:46.776905060 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.777080059 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.797888994 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:46.797909021 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:46.798038960 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.803366899 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.803378105 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:46.803786039 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:46.807684898 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.807770967 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.807945967 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:46.808177948 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.808177948 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.808290958 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.808325052 CET	443	49724	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:46.818099022 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.818289042 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:46.818298101 CET	443	49724	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:46.829596996 CET	80	49714	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:46.846554995 CET	49714	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.846915960 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.851547956 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.896889925 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:46.966767073 CET	80	49714	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:46.966845036 CET	49714	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.971401930 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:46.971580029 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:46.971633911 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:47.010179996 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:47.091763973 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:47.240575075 CET	49727	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:42:47.240660906 CET	443	49727	34.149.100.209	192.168.2.5
Dec 13, 2024 03:42:47.240736008 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:47.240766048 CET	49727	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:42:47.240780115 CET	443	49728	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:47.240957975 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:47.242147923 CET	49727	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:42:47.242230892 CET	443	49727	34.149.100.209	192.168.2.5
Dec 13, 2024 03:42:47.242374897 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:47.242393017 CET	443	49728	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:47.265388966 CET	49729	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:47.265470982 CET	443	49729	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:47.265567064 CET	49729	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:47.266697884 CET	49729	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:47.266736031 CET	443	49729	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:47.281496048 CET	49730	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:47.281517029 CET	443	49730	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:47.289585114 CET	49730	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:47.290757895 CET	49730	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:47.290782928 CET	443	49730	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:47.625093937 CET	443	49720	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.625171900 CET	49720	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.626374006 CET	443	49719	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:47.626523018 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:47.627013922 CET	443	49719	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:47.627070904 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:47.668832064 CET	80	49722	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:47.670981884 CET	49722	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:47.691826105 CET	49720	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.691859007 CET	443	49720	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.691896915 CET	49720	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.692231894 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:47.692316055 CET	443	49719	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:47.692364931 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:47.692549944 CET	443	49719	142.250.181.110	192.168.2.5
Dec 13, 2024 03:42:47.692564011 CET	443	49720	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.692744017 CET	49720	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.692748070 CET	49719	443	192.168.2.5	142.250.181.110
Dec 13, 2024 03:42:47.741602898 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.741795063 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.749929905 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.749984026 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.750046015 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.750212908 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.750416040 CET	49731	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.750457048 CET	443	49731	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.750478983 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.750531912 CET	49731	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.751828909 CET	49731	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:47.751843929 CET	443	49731	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:47.914621115 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:48.034504890 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:48.034601927 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:48.034743071 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:48.035125017 CET	443	49724	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:48.035141945 CET	443	49724	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:48.035391092 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:48.059199095 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:48.087677956 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:48.109816074 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:48.118760109 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:48.118788958 CET	443	49724	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:48.119905949 CET	443	49724	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:48.121484995 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:48.121484995 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:48.122153997 CET	443	49724	34.160.144.191	192.168.2.5
Dec 13, 2024 03:42:48.124723911 CET	49724	443	192.168.2.5	34.160.144.191
Dec 13, 2024 03:42:48.154767990 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:48.461962938 CET	443	49728	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:48.462105989 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:48.464523077 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:48.464529991 CET	443	49728	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:48.464879990 CET	443	49728	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:48.467253923 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:48.467358112 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:48.467485905 CET	443	49728	35.244.181.201	192.168.2.5
Dec 13, 2024 03:42:48.467555046 CET	49728	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:42:48.470947981 CET	443	49727	34.149.100.209	192.168.2.5
Dec 13, 2024 03:42:48.471023083 CET	49727	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:42:48.475270987 CET	49727	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:42:48.475291014 CET	443	49727	34.149.100.209	192.168.2.5
Dec 13, 2024 03:42:48.475337982 CET	49727	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:42:48.475549936 CET	443	49727	34.149.100.209	192.168.2.5
Dec 13, 2024 03:42:48.475728035 CET	49727	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:42:48.489104986 CET	443	49729	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:48.489192009 CET	49729	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:48.493510008 CET	49729	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:48.493540049 CET	443	49729	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:48.493582964 CET	49729	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:48.493817091 CET	443	49729	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:48.493922949 CET	49729	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:48.517236948 CET	443	49730	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:48.517249107 CET	443	49730	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:48.517323971 CET	49730	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:48.521853924 CET	49730	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:48.521902084 CET	443	49730	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:48.521961927 CET	49730	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:48.522075891 CET	443	49730	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:48.522135973 CET	49730	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:48.971342087 CET	443	49731	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:48.971477032 CET	49731	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:48.979115009 CET	49731	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:48.979120016 CET	443	49731	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:48.979336023 CET	49731	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:48.979357958 CET	443	49731	34.117.188.166	192.168.2.5
Dec 13, 2024 03:42:48.979710102 CET	49731	443	192.168.2.5	34.117.188.166
Dec 13, 2024 03:42:49.120611906 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:49.175189018 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:50.401099920 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:50.406354904 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:50.477114916 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.477205992 CET	443	49734	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:50.478266001 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.478636026 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.478718996 CET	443	49734	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:50.479907990 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.479996920 CET	443	49735	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:50.484170914 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.484170914 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.484302998 CET	443	49735	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:50.521398067 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:50.526638985 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:50.549104929 CET	49736	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.549139023 CET	443	49736	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:50.550653934 CET	49736	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.551932096 CET	49736	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:50.551945925 CET	443	49736	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:50.716928959 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:50.721414089 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:50.731460094 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:50.777332067 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:50.851608992 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:51.047105074 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:51.100286961 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:51.781114101 CET	443	49734	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.781253099 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.784866095 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.784895897 CET	443	49734	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.785216093 CET	443	49735	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.785279036 CET	443	49734	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.785330057 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.788294077 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.788324118 CET	443	49735	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.788669109 CET	443	49735	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.790719032 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.790889025 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.790937901 CET	443	49734	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.792068005 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.792068958 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.792388916 CET	443	49735	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.792407036 CET	49734	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.792787075 CET	49735	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.794217110 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:51.887361050 CET	443	49736	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:51.887945890 CET	49736	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:51.932193041 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:52.130734921 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:52.181461096 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:52.283010006 CET	49736	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:52.283061981 CET	443	49736	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:52.283104897 CET	49736	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:52.283705950 CET	443	49736	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:52.283828974 CET	49736	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:57.509735107 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:57.629829884 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:57.720370054 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:57.832685947 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:57.840435982 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:57.882808924 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:57.966442108 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:57.966533899 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:57.969954967 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:57.971285105 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:57.971324921 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:58.026472092 CET	49754	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:58.026565075 CET	443	49754	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:58.027812958 CET	49754	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:58.035511017 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:42:58.083408117 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:42:58.278249979 CET	49754	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:58.278331995 CET	443	49754	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:59.506644011 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:59.506835938 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:59.509411097 CET	443	49754	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:59.509483099 CET	49754	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:59.565504074 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:59.565505028 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:59.565547943 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:59.565653086 CET	49754	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:59.565665960 CET	443	49754	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:59.565732956 CET	49754	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:42:59.565814018 CET	443	49753	34.120.208.123	192.168.2.5
Dec 13, 2024 03:42:59.566092968 CET	49753	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:42:59.566252947 CET	443	49754	34.107.243.93	192.168.2.5
Dec 13, 2024 03:42:59.566318035 CET	49754	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:00.112046003 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:00.165783882 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:00.231870890 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:00.285595894 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:00.439668894 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:00.481498957 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:00.490356922 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:00.500072002 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:00.521595001 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:00.620132923 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:00.816350937 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:00.869344950 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:10.129123926 CET	49780	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:10.129208088 CET	443	49780	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:10.129527092 CET	49780	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:10.130705118 CET	49780	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:10.130759954 CET	443	49780	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:10.487068892 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:10.607513905 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:10.825608015 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:10.946656942 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:11.404161930 CET	443	49780	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:11.404294968 CET	49780	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:11.408168077 CET	49780	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:11.408168077 CET	49780	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:11.408226013 CET	443	49780	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:11.408600092 CET	443	49780	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:11.409343958 CET	49780	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:11.410727978 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:11.530761003 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:11.725506067 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:11.729439020 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:11.775042057 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:11.849354029 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:11.896348953 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:11.896408081 CET	443	49781	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:11.899074078 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:11.899074078 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:11.899127007 CET	443	49781	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:11.904038906 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:11.904083014 CET	443	49782	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:11.907597065 CET	49783	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:43:11.907627106 CET	443	49783	35.190.72.216	192.168.2.5
Dec 13, 2024 03:43:11.908404112 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:11.908507109 CET	49783	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:43:11.908622026 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:11.908638000 CET	443	49782	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:11.910032988 CET	49783	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:43:11.910049915 CET	443	49783	35.190.72.216	192.168.2.5
Dec 13, 2024 03:43:12.044785976 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:12.091558933 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:12.116185904 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:12.116245031 CET	443	49784	151.101.1.91	192.168.2.5
Dec 13, 2024 03:43:12.116427898 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:12.116539955 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:12.116552114 CET	443	49784	151.101.1.91	192.168.2.5
Dec 13, 2024 03:43:12.206948996 CET	49786	443	192.168.2.5	35.201.103.21
Dec 13, 2024 03:43:12.206984997 CET	443	49786	35.201.103.21	192.168.2.5
Dec 13, 2024 03:43:12.207065105 CET	49786	443	192.168.2.5	35.201.103.21
Dec 13, 2024 03:43:12.208504915 CET	49786	443	192.168.2.5	35.201.103.21
Dec 13, 2024 03:43:12.208517075 CET	443	49786	35.201.103.21	192.168.2.5
Dec 13, 2024 03:43:13.118087053 CET	443	49781	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.118315935 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.121243000 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.121275902 CET	443	49781	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.122071981 CET	443	49781	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.123081923 CET	443	49783	35.190.72.216	192.168.2.5
Dec 13, 2024 03:43:13.123224020 CET	49783	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:43:13.125065088 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.125159979 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.126741886 CET	443	49781	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.127504110 CET	443	49782	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:13.127533913 CET	49783	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:43:13.127558947 CET	443	49783	35.190.72.216	192.168.2.5
Dec 13, 2024 03:43:13.127599955 CET	49783	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:43:13.127770901 CET	443	49783	35.190.72.216	192.168.2.5
Dec 13, 2024 03:43:13.128978968 CET	49781	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.128995895 CET	49783	443	192.168.2.5	35.190.72.216
Dec 13, 2024 03:43:13.129024029 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.131505013 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.131522894 CET	443	49782	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:13.131810904 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:13.132282019 CET	443	49782	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:13.134113073 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.134177923 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.134465933 CET	443	49782	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:13.134541988 CET	49782	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.349174023 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:13.361540079 CET	443	49784	151.101.1.91	192.168.2.5
Dec 13, 2024 03:43:13.361990929 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:13.365468979 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:13.365504026 CET	443	49784	151.101.1.91	192.168.2.5
Dec 13, 2024 03:43:13.366067886 CET	443	49784	151.101.1.91	192.168.2.5
Dec 13, 2024 03:43:13.372725010 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:13.372837067 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:13.373008013 CET	443	49784	151.101.1.91	192.168.2.5
Dec 13, 2024 03:43:13.373116970 CET	49784	443	192.168.2.5	151.101.1.91
Dec 13, 2024 03:43:13.381709099 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.381768942 CET	443	49791	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.381930113 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.382023096 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.382030964 CET	443	49791	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.383395910 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.383470058 CET	443	49792	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.383712053 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.383848906 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.383874893 CET	443	49792	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.386049986 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.386092901 CET	443	49793	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.386188984 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.386308908 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:13.386322975 CET	443	49793	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:13.431508064 CET	443	49786	35.201.103.21	192.168.2.5
Dec 13, 2024 03:43:13.431803942 CET	49786	443	192.168.2.5	35.201.103.21
Dec 13, 2024 03:43:13.436105013 CET	49786	443	192.168.2.5	35.201.103.21
Dec 13, 2024 03:43:13.436134100 CET	443	49786	35.201.103.21	192.168.2.5
Dec 13, 2024 03:43:13.436186075 CET	49786	443	192.168.2.5	35.201.103.21
Dec 13, 2024 03:43:13.436435938 CET	443	49786	35.201.103.21	192.168.2.5
Dec 13, 2024 03:43:13.436978102 CET	49786	443	192.168.2.5	35.201.103.21
Dec 13, 2024 03:43:13.448245049 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.448309898 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:13.448537111 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.448652983 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:13.448671103 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:13.569220066 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:13.572423935 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:13.618014097 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:13.692509890 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:13.887466908 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:13.934493065 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:14.598839045 CET	443	49793	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.599066019 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.599741936 CET	443	49791	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.601089001 CET	443	49792	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.601871967 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.601881981 CET	443	49793	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.602221012 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.602268934 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.602576017 CET	443	49793	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.604602098 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.604614973 CET	443	49791	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.605469942 CET	443	49791	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.607103109 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.607131004 CET	443	49792	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.607542038 CET	443	49792	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.609147072 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.609226942 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.609431982 CET	443	49793	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.610317945 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.610382080 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.610722065 CET	443	49791	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.611145973 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.611191988 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.611346960 CET	443	49792	35.244.181.201	192.168.2.5
Dec 13, 2024 03:43:14.615215063 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:14.615674973 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.615691900 CET	49793	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.615703106 CET	49791	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.615711927 CET	49792	443	192.168.2.5	35.244.181.201
Dec 13, 2024 03:43:14.682745934 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:14.682847023 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:14.685889959 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:14.685914993 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:14.686283112 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:14.688502073 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:14.688659906 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:14.688709021 CET	443	49794	34.149.100.209	192.168.2.5
Dec 13, 2024 03:43:14.689474106 CET	49794	443	192.168.2.5	34.149.100.209
Dec 13, 2024 03:43:14.735167027 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:14.930497885 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:14.933377028 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:14.984273911 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:15.053657055 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:15.248769045 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:15.249416113 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:15.300805092 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:15.369220018 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:15.564831972 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:15.567859888 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:15.623806000 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:15.687728882 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:15.883179903 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:15.924695969 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:25.574779034 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:25.694854021 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:25.897294044 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:26.017303944 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:32.009805918 CET	49839	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:32.009892941 CET	443	49839	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:32.010128021 CET	49839	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:32.011352062 CET	49839	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:32.011389017 CET	443	49839	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:33.225209951 CET	443	49839	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:33.225315094 CET	49839	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:33.230555058 CET	49839	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:33.230587006 CET	443	49839	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:33.230690002 CET	49839	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:33.230962992 CET	443	49839	34.107.243.93	192.168.2.5
Dec 13, 2024 03:43:33.231066942 CET	49839	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:43:33.233385086 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:33.353169918 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:33.547904968 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:33.551513910 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:33.598010063 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:33.671397924 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:33.868252039 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:33.921014071 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:43.131391048 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:43.131438017 CET	443	49865	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:43.131761074 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:43.131803989 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:43.138879061 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:43.138988972 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:43.139146090 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:43.139162064 CET	443	49865	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:43.139358044 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:43.139374971 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:43.548943996 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:43.668812037 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:43.896759987 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:44.016798019 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:44.394211054 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.394228935 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.394356966 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.395106077 CET	443	49865	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.395123005 CET	443	49865	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.395323992 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.397461891 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.397516012 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.398044109 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.399580002 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.399591923 CET	443	49865	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.399825096 CET	443	49865	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.403137922 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.403398037 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.403409004 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.403441906 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.403925896 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.403925896 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.404061079 CET	443	49865	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.404166937 CET	49865	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.407943964 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:44.411783934 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.411869049 CET	443	49871	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.413897991 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.414125919 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.414160013 CET	443	49871	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.418442011 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.418467045 CET	443	49872	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.418700933 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.418826103 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.418832064 CET	443	49872	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.420468092 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.420535088 CET	443	49873	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.420667887 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.420777082 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.420794964 CET	443	49873	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.528589964 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:44.615336895 CET	443	49866	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:44.615417004 CET	49866	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:44.722480059 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:44.726018906 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:44.768193960 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:44.847103119 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:45.041907072 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:45.084714890 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:45.668606043 CET	443	49872	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.668745041 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.670520067 CET	443	49873	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.670720100 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.671726942 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.671737909 CET	443	49872	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.672055006 CET	443	49872	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.672945023 CET	443	49871	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.675213099 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.675244093 CET	443	49873	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.675427914 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.675616980 CET	443	49873	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.678524971 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.678553104 CET	443	49871	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.678827047 CET	443	49871	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.682429075 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.682429075 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.682651997 CET	443	49872	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.682933092 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.682981968 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.683187008 CET	443	49873	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.683429003 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.683505058 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.683593988 CET	443	49871	34.120.208.123	192.168.2.5
Dec 13, 2024 03:43:45.685230017 CET	49873	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.685235977 CET	49872	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.685237885 CET	49871	443	192.168.2.5	34.120.208.123
Dec 13, 2024 03:43:45.686022043 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:45.805855036 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:46.001055956 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:46.004096985 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:46.056459904 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:46.124521017 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:46.320157051 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:46.372934103 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:56.012900114 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:56.132946968 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:43:56.344964027 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:43:56.465061903 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:06.142261028 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:06.263900995 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:06.474522114 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:06.594624996 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:13.462213993 CET	49938	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:44:13.462311029 CET	443	49938	34.107.243.93	192.168.2.5
Dec 13, 2024 03:44:13.462409973 CET	49938	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:44:13.464451075 CET	49938	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:44:13.464488983 CET	443	49938	34.107.243.93	192.168.2.5
Dec 13, 2024 03:44:14.683217049 CET	443	49938	34.107.243.93	192.168.2.5
Dec 13, 2024 03:44:14.683564901 CET	49938	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:44:14.688622952 CET	49938	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:44:14.688676119 CET	443	49938	34.107.243.93	192.168.2.5
Dec 13, 2024 03:44:14.688761950 CET	49938	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:44:14.688834906 CET	443	49938	34.107.243.93	192.168.2.5
Dec 13, 2024 03:44:14.689012051 CET	49938	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:44:14.692049026 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:14.812824011 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:15.006978989 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:15.016664028 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:15.057805061 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:15.137150049 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:15.354505062 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:15.405431986 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:25.017116070 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:25.136976957 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:25.364648104 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:25.484448910 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:35.143908978 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:35.264535904 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:35.491719961 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:35.611732006 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:45.274300098 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:45.394098043 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:45.622091055 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:45.742023945 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:55.403182030 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:55.523334980 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:44:55.750863075 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:44:55.870556116 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:05.531248093 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:05.651520967 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:05.878839016 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:05.999109030 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:15.660922050 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:15.781291962 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:16.008521080 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:16.129059076 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:25.790049076 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:25.910541058 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:26.135246992 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:26.255544901 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:34.983685970 CET	50030	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:45:34.983731031 CET	443	50030	34.107.243.93	192.168.2.5
Dec 13, 2024 03:45:34.983828068 CET	50030	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:45:34.985162973 CET	50030	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:45:34.985186100 CET	443	50030	34.107.243.93	192.168.2.5
Dec 13, 2024 03:45:35.919368982 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:36.040258884 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:36.235660076 CET	443	50030	34.107.243.93	192.168.2.5
Dec 13, 2024 03:45:36.235995054 CET	50030	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:45:36.240967035 CET	50030	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:45:36.240982056 CET	443	50030	34.107.243.93	192.168.2.5
Dec 13, 2024 03:45:36.241050005 CET	50030	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:45:36.241277933 CET	443	50030	34.107.243.93	192.168.2.5
Dec 13, 2024 03:45:36.241753101 CET	50030	443	192.168.2.5	34.107.243.93
Dec 13, 2024 03:45:36.243635893 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:36.266613007 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:36.363898039 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:36.386992931 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:36.558828115 CET	80	49732	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:36.562279940 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:36.605528116 CET	49732	80	192.168.2.5	34.107.221.82
Dec 13, 2024 03:45:36.682882071 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:36.877712011 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 03:45:36.921808958 CET	49725	80	192.168.2.5	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 03:42:43.364831924 CET	51501	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:43.507123947 CET	53	51501	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:43.519120932 CET	52869	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:43.764051914 CET	53	52869	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:44.053052902 CET	59441	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:44.180319071 CET	49950	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:44.190814018 CET	53	59441	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:44.205796003 CET	58570	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:44.343060970 CET	53	58570	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:44.343919992 CET	60682	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:44.521524906 CET	57211	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:44.532428980 CET	59960	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:44.556186914 CET	53	60682	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:44.659070015 CET	53	57211	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:44.671587944 CET	53	59960	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.158314943 CET	61035	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.158602953 CET	61447	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.159298897 CET	52537	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.224441051 CET	53738	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.295641899 CET	53	61035	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.295732975 CET	53	61447	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.296642065 CET	65403	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.297173977 CET	53	52537	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.300370932 CET	63206	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.314668894 CET	59366	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.362080097 CET	53	53738	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.434736967 CET	53	65403	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.438647032 CET	53	63206	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.445945978 CET	63910	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.446432114 CET	55832	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.452657938 CET	53	59366	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.583991051 CET	53	63910	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.651565075 CET	58795	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.668510914 CET	53	55832	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.669421911 CET	52906	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:45.789268970 CET	53	58795	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:45.808924913 CET	53	52906	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:46.458302021 CET	50708	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:46.458739042 CET	57563	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:46.515022993 CET	65264	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:46.597615004 CET	53	50708	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:46.597635031 CET	53	57563	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:46.804471016 CET	63509	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:46.822853088 CET	49694	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:46.961024046 CET	53	49694	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:46.962070942 CET	61048	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:47.099630117 CET	53	61048	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:47.100009918 CET	50301	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:47.109884024 CET	63907	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:47.238238096 CET	53	50301	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:47.240957975 CET	64271	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:47.247204065 CET	53	63907	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:47.282257080 CET	63924	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:47.378591061 CET	53	64271	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:47.379371881 CET	59118	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:47.419624090 CET	53	63924	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:47.420434952 CET	51800	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:47.517488956 CET	53	59118	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:47.558368921 CET	53	51800	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:47.636518002 CET	53	53755	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:50.359270096 CET	64666	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:51.094948053 CET	53	64666	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:51.096029997 CET	63377	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:51.236764908 CET	53	63377	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:51.237678051 CET	55002	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:51.750363111 CET	53	55002	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:56.914132118 CET	63106	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:56.914623022 CET	55425	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:56.914844036 CET	53528	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.051460028 CET	53	63106	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.052444935 CET	65140	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.052922010 CET	53	55425	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.053617001 CET	52965	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.189843893 CET	53	65140	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.190752029 CET	53471	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.190834999 CET	53	52965	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.191293955 CET	63486	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.217187881 CET	53	53528	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.327573061 CET	53	53471	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.328577042 CET	53	63486	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.508805990 CET	64580	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.509912968 CET	60293	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.510068893 CET	59698	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.647038937 CET	53	59698	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.647728920 CET	53	60293	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.649188995 CET	59474	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.649189949 CET	64918	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.722539902 CET	53	64580	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.727844954 CET	64290	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.787184000 CET	53	64918	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.787517071 CET	53	59474	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.787997961 CET	62386	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.788223028 CET	57233	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.925416946 CET	53	62386	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.949924946 CET	53	64290	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:57.969888926 CET	63383	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:57.998126030 CET	53	57233	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:58.025948048 CET	63930	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:42:58.107527971 CET	53	63383	1.1.1.1	192.168.2.5
Dec 13, 2024 03:42:58.163404942 CET	53	63930	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:10.129466057 CET	60303	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:10.297148943 CET	53	60303	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:11.895694971 CET	56931	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:11.897033930 CET	56758	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:11.908138990 CET	57536	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:12.034080029 CET	53	56758	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:12.115057945 CET	53	56931	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:12.116358042 CET	56415	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:12.205878019 CET	53	57536	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:12.207257032 CET	57871	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:12.253906012 CET	53	56415	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:12.254703999 CET	51336	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:12.405965090 CET	53	57871	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:12.406745911 CET	56050	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:12.475764036 CET	53	51336	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:12.544725895 CET	53	56050	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:31.870918036 CET	55529	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:32.008857012 CET	53	55529	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:32.010055065 CET	59787	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:32.147037029 CET	53	59787	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:43.122255087 CET	62550	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:43:43.336558104 CET	53	62550	1.1.1.1	192.168.2.5
Dec 13, 2024 03:43:44.408611059 CET	65215	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:44:13.461997032 CET	52828	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:44:13.599744081 CET	53	52828	1.1.1.1	192.168.2.5
Dec 13, 2024 03:44:14.692327023 CET	49703	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:45:34.704232931 CET	51952	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:45:34.842119932 CET	53	51952	1.1.1.1	192.168.2.5
Dec 13, 2024 03:45:34.843817949 CET	63450	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:45:34.982481956 CET	53	63450	1.1.1.1	192.168.2.5
Dec 13, 2024 03:45:34.983612061 CET	55889	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:45:35.120923996 CET	53	55889	1.1.1.1	192.168.2.5
Dec 13, 2024 03:45:36.243751049 CET	64385	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:45:36.383280039 CET	60522	53	192.168.2.5	1.1.1.1
Dec 13, 2024 03:45:36.523519039 CET	53	60522	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 03:42:43.364831924 CET	192.168.2.5	1.1.1.1	0x6c98	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:43.519120932 CET	192.168.2.5	1.1.1.1	0x7aab	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:44.053052902 CET	192.168.2.5	1.1.1.1	0x3827	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.180319071 CET	192.168.2.5	1.1.1.1	0xadf7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.205796003 CET	192.168.2.5	1.1.1.1	0xb91e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.343919992 CET	192.168.2.5	1.1.1.1	0x774c	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:44.521524906 CET	192.168.2.5	1.1.1.1	0x211d	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.532428980 CET	192.168.2.5	1.1.1.1	0x1767	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.158314943 CET	192.168.2.5	1.1.1.1	0x6124	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.158602953 CET	192.168.2.5	1.1.1.1	0xa412	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.159298897 CET	192.168.2.5	1.1.1.1	0x5b74	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.224441051 CET	192.168.2.5	1.1.1.1	0xdc5c	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.296642065 CET	192.168.2.5	1.1.1.1	0x5371	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:45.300370932 CET	192.168.2.5	1.1.1.1	0xab1b	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:45.314668894 CET	192.168.2.5	1.1.1.1	0xec8	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:45.445945978 CET	192.168.2.5	1.1.1.1	0x8ed1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.446432114 CET	192.168.2.5	1.1.1.1	0x4d9e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.651565075 CET	192.168.2.5	1.1.1.1	0x77ea	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:45.669421911 CET	192.168.2.5	1.1.1.1	0x638	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:46.458302021 CET	192.168.2.5	1.1.1.1	0xf823	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.458739042 CET	192.168.2.5	1.1.1.1	0x80c9	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.515022993 CET	192.168.2.5	1.1.1.1	0x5eff	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.804471016 CET	192.168.2.5	1.1.1.1	0x7c5e	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.822853088 CET	192.168.2.5	1.1.1.1	0x8a69	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.962070942 CET	192.168.2.5	1.1.1.1	0xbaf7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.100009918 CET	192.168.2.5	1.1.1.1	0xb85a	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.109884024 CET	192.168.2.5	1.1.1.1	0xb8bb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:47.240957975 CET	192.168.2.5	1.1.1.1	0x5900	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.282257080 CET	192.168.2.5	1.1.1.1	0xd19f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.379371881 CET	192.168.2.5	1.1.1.1	0x68c1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:47.420434952 CET	192.168.2.5	1.1.1.1	0xf823	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:50.359270096 CET	192.168.2.5	1.1.1.1	0x1709	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:51.096029997 CET	192.168.2.5	1.1.1.1	0x5a44	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:51.237678051 CET	192.168.2.5	1.1.1.1	0x63d3	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:56.914132118 CET	192.168.2.5	1.1.1.1	0x2252	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:56.914623022 CET	192.168.2.5	1.1.1.1	0x5509	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:56.914844036 CET	192.168.2.5	1.1.1.1	0xed6c	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.052444935 CET	192.168.2.5	1.1.1.1	0x37ec	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.053617001 CET	192.168.2.5	1.1.1.1	0x2d68	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.190752029 CET	192.168.2.5	1.1.1.1	0x4f44	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:57.191293955 CET	192.168.2.5	1.1.1.1	0xed68	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:57.508805990 CET	192.168.2.5	1.1.1.1	0x9903	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.509912968 CET	192.168.2.5	1.1.1.1	0x2094	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.510068893 CET	192.168.2.5	1.1.1.1	0x67c0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.649188995 CET	192.168.2.5	1.1.1.1	0xc07a	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.649189949 CET	192.168.2.5	1.1.1.1	0xaeb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.727844954 CET	192.168.2.5	1.1.1.1	0x529c	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 03:42:57.787997961 CET	192.168.2.5	1.1.1.1	0x6b3c	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:57.788223028 CET	192.168.2.5	1.1.1.1	0xe981	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 03:42:57.969888926 CET	192.168.2.5	1.1.1.1	0xd468	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:42:58.025948048 CET	192.168.2.5	1.1.1.1	0x156e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:43:10.129466057 CET	192.168.2.5	1.1.1.1	0x8bac	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:43:11.895694971 CET	192.168.2.5	1.1.1.1	0x8a89	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:11.897033930 CET	192.168.2.5	1.1.1.1	0xa49d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 03:43:11.908138990 CET	192.168.2.5	1.1.1.1	0x1727	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.116358042 CET	192.168.2.5	1.1.1.1	0x51e4	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.207257032 CET	192.168.2.5	1.1.1.1	0xcc29	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.254703999 CET	192.168.2.5	1.1.1.1	0x8d45	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 03:43:12.406745911 CET	192.168.2.5	1.1.1.1	0x686f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:43:31.870918036 CET	192.168.2.5	1.1.1.1	0xfb76	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:32.010055065 CET	192.168.2.5	1.1.1.1	0xeb1a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:43:43.122255087 CET	192.168.2.5	1.1.1.1	0xa4b8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:43:44.408611059 CET	192.168.2.5	1.1.1.1	0x599a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:44:13.461997032 CET	192.168.2.5	1.1.1.1	0x63aa	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:44:14.692327023 CET	192.168.2.5	1.1.1.1	0xfd65	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:34.704232931 CET	192.168.2.5	1.1.1.1	0xc3ce	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:34.843817949 CET	192.168.2.5	1.1.1.1	0xd677	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:34.983612061 CET	192.168.2.5	1.1.1.1	0xba52	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 03:45:36.243751049 CET	192.168.2.5	1.1.1.1	0x70c8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:36.383280039 CET	192.168.2.5	1.1.1.1	0xe763	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 03:42:43.360941887 CET	1.1.1.1	192.168.2.5	0x85f7	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:43.507123947 CET	1.1.1.1	192.168.2.5	0x6c98	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.190814018 CET	1.1.1.1	192.168.2.5	0x3827	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.343060970 CET	1.1.1.1	192.168.2.5	0xb91e	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.556186914 CET	1.1.1.1	192.168.2.5	0x774c	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 03:42:44.602972984 CET	1.1.1.1	192.168.2.5	0xadf7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:44.602972984 CET	1.1.1.1	192.168.2.5	0xadf7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.659070015 CET	1.1.1.1	192.168.2.5	0x211d	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:44.671587944 CET	1.1.1.1	192.168.2.5	0x1767	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:44.671587944 CET	1.1.1.1	192.168.2.5	0x1767	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.295641899 CET	1.1.1.1	192.168.2.5	0x6124	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.295732975 CET	1.1.1.1	192.168.2.5	0xa412	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.296658039 CET	1.1.1.1	192.168.2.5	0x3b78	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:45.296658039 CET	1.1.1.1	192.168.2.5	0x3b78	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.297173977 CET	1.1.1.1	192.168.2.5	0x5b74	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.362080097 CET	1.1.1.1	192.168.2.5	0xdc5c	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:45.362080097 CET	1.1.1.1	192.168.2.5	0xdc5c	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:45.362080097 CET	1.1.1.1	192.168.2.5	0xdc5c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.434736967 CET	1.1.1.1	192.168.2.5	0x5371	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 03:42:45.583991051 CET	1.1.1.1	192.168.2.5	0x8ed1	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.668510914 CET	1.1.1.1	192.168.2.5	0x4d9e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:45.808924913 CET	1.1.1.1	192.168.2.5	0x638	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 03:42:46.597615004 CET	1.1.1.1	192.168.2.5	0xf823	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.597635031 CET	1.1.1.1	192.168.2.5	0x80c9	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.597635031 CET	1.1.1.1	192.168.2.5	0x80c9	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.655951023 CET	1.1.1.1	192.168.2.5	0x5eff	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:46.655951023 CET	1.1.1.1	192.168.2.5	0x5eff	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:46.961024046 CET	1.1.1.1	192.168.2.5	0x8a69	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.099630117 CET	1.1.1.1	192.168.2.5	0xbaf7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.168241978 CET	1.1.1.1	192.168.2.5	0x7c5e	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:47.231735945 CET	1.1.1.1	192.168.2.5	0x419c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:47.231735945 CET	1.1.1.1	192.168.2.5	0x419c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.234949112 CET	1.1.1.1	192.168.2.5	0x9d3d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.238238096 CET	1.1.1.1	192.168.2.5	0xb85a	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:47.238238096 CET	1.1.1.1	192.168.2.5	0xb85a	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.378591061 CET	1.1.1.1	192.168.2.5	0x5900	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:47.419624090 CET	1.1.1.1	192.168.2.5	0xd19f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:50.548222065 CET	1.1.1.1	192.168.2.5	0xf73d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:51.094948053 CET	1.1.1.1	192.168.2.5	0x1709	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:51.094948053 CET	1.1.1.1	192.168.2.5	0x1709	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:51.094948053 CET	1.1.1.1	192.168.2.5	0x1709	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:51.236764908 CET	1.1.1.1	192.168.2.5	0x5a44	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.051460028 CET	1.1.1.1	192.168.2.5	0x2252	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.052922010 CET	1.1.1.1	192.168.2.5	0x5509	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:57.052922010 CET	1.1.1.1	192.168.2.5	0x5509	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.189843893 CET	1.1.1.1	192.168.2.5	0x37ec	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.190834999 CET	1.1.1.1	192.168.2.5	0x2d68	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.217187881 CET	1.1.1.1	192.168.2.5	0xed6c	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:57.217187881 CET	1.1.1.1	192.168.2.5	0xed6c	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.327573061 CET	1.1.1.1	192.168.2.5	0x4f44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 03:42:57.327573061 CET	1.1.1.1	192.168.2.5	0x4f44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 03:42:57.327573061 CET	1.1.1.1	192.168.2.5	0x4f44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 03:42:57.327573061 CET	1.1.1.1	192.168.2.5	0x4f44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 03:42:57.328577042 CET	1.1.1.1	192.168.2.5	0xed68	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 03:42:57.647038937 CET	1.1.1.1	192.168.2.5	0x67c0	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.647728920 CET	1.1.1.1	192.168.2.5	0x2094	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:42:57.647728920 CET	1.1.1.1	192.168.2.5	0x2094	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.647728920 CET	1.1.1.1	192.168.2.5	0x2094	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.647728920 CET	1.1.1.1	192.168.2.5	0x2094	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.647728920 CET	1.1.1.1	192.168.2.5	0x2094	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.722539902 CET	1.1.1.1	192.168.2.5	0x9903	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.787184000 CET	1.1.1.1	192.168.2.5	0xaeb	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.787517071 CET	1.1.1.1	192.168.2.5	0xc07a	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.787517071 CET	1.1.1.1	192.168.2.5	0xc07a	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.787517071 CET	1.1.1.1	192.168.2.5	0xc07a	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.787517071 CET	1.1.1.1	192.168.2.5	0xc07a	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:42:57.949924946 CET	1.1.1.1	192.168.2.5	0x529c	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 03:43:12.115057945 CET	1.1.1.1	192.168.2.5	0x8a89	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.115057945 CET	1.1.1.1	192.168.2.5	0x8a89	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.115057945 CET	1.1.1.1	192.168.2.5	0x8a89	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.115057945 CET	1.1.1.1	192.168.2.5	0x8a89	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.205878019 CET	1.1.1.1	192.168.2.5	0x1727	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:43:12.205878019 CET	1.1.1.1	192.168.2.5	0x1727	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.253906012 CET	1.1.1.1	192.168.2.5	0x51e4	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.253906012 CET	1.1.1.1	192.168.2.5	0x51e4	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.253906012 CET	1.1.1.1	192.168.2.5	0x51e4	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.253906012 CET	1.1.1.1	192.168.2.5	0x51e4	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.405965090 CET	1.1.1.1	192.168.2.5	0xcc29	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:12.475764036 CET	1.1.1.1	192.168.2.5	0x8d45	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 03:43:12.475764036 CET	1.1.1.1	192.168.2.5	0x8d45	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 03:43:12.475764036 CET	1.1.1.1	192.168.2.5	0x8d45	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 03:43:12.475764036 CET	1.1.1.1	192.168.2.5	0x8d45	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 03:43:15.124280930 CET	1.1.1.1	192.168.2.5	0xe901	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:43:15.124280930 CET	1.1.1.1	192.168.2.5	0xe901	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:43:32.008857012 CET	1.1.1.1	192.168.2.5	0xfb76	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:43.119538069 CET	1.1.1.1	192.168.2.5	0x1a3a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:43:44.547441959 CET	1.1.1.1	192.168.2.5	0x599a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:43:44.547441959 CET	1.1.1.1	192.168.2.5	0x599a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:44:14.831173897 CET	1.1.1.1	192.168.2.5	0xfd65	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:44:14.831173897 CET	1.1.1.1	192.168.2.5	0xfd65	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:34.842119932 CET	1.1.1.1	192.168.2.5	0xc3ce	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:34.982481956 CET	1.1.1.1	192.168.2.5	0xd677	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:36.381844997 CET	1.1.1.1	192.168.2.5	0x70c8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 03:45:36.381844997 CET	1.1.1.1	192.168.2.5	0x70c8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 03:45:36.523519039 CET	1.1.1.1	192.168.2.5	0xe763	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	34.107.221.82	80	6156	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 03:42:45.272403955 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:42:46.360814095 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 59601 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:42:46.513339043 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:42:46.829596996 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 59601 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49722	34.107.221.82	80	6156	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 03:42:46.777080059 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	34.107.221.82	80	6156	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 03:42:46.971633911 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:42:48.059199095 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59659 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:42:50.401099920 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:42:50.716928959 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59662 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:42:50.731460094 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:42:51.047105074 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59662 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:42:57.509735107 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:42:57.832685947 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59669 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:00.112046003 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:00.439668894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59672 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:00.500072002 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:00.816350937 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59672 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:10.825608015 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:43:11.729439020 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:12.044785976 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59683 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:13.572423935 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:13.887466908 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59685 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:14.933377028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:15.248769045 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59687 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:15.567859888 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:15.883179903 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59687 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:25.897294044 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:43:33.551513910 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:33.868252039 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59705 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:43.896759987 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:43:44.726018906 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:45.041907072 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59716 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:46.004096985 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:43:46.320157051 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59718 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:43:56.344964027 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:06.474522114 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:15.016664028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:44:15.354505062 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59747 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 03:44:25.364648104 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:35.491719961 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:45.622091055 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:55.750863075 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:45:05.878839016 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:45:36.562279940 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 03:45:36.877712011 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 59828 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49732	34.107.221.82	80	6156	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 03:42:48.034743071 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:42:49.120611906 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55506 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:42:50.406354904 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:42:50.721414089 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55508 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:42:51.794217110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:42:52.130734921 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55509 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:42:57.720370054 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:42:58.035511017 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55515 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:00.165783882 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:00.481498957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55518 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:10.487068892 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:43:11.410727978 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:11.725506067 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55529 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:13.131810904 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:13.569220066 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55531 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:14.615215063 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:14.930497885 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55532 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:15.249416113 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:15.564831972 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55533 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:25.574779034 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:43:33.233385086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:33.547904968 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55551 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:43.548943996 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:43:44.407943964 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:44.722480059 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55562 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:45.686022043 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:43:46.001055956 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55563 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:43:56.012900114 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:06.142261028 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:14.692049026 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:44:15.006978989 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55592 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 03:44:25.017116070 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:35.143908978 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:45.274300098 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:44:55.403182030 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:45:05.531248093 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 03:45:36.243635893 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 03:45:36.558828115 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 55674 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	21:42:34
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x910000
File size:	969'216 bytes
MD5 hash:	5ECF37910C2EE428328D45AC7BCCAD85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:42:35
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:42:35
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:42:37
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:42:37
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:42:38
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:42:38
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:42:38
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:42:38
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:42:38
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xfe0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:42:38
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:42:39
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:42:39
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:42:39
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	21:42:40
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd48ffe2-a6ab-49c9-8773-ea88117d718a} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1784ec6f710 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	21:42:42
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4408 -parentBuildID 20230927232528 -prefsHandle 4400 -prefMapHandle 4396 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f66020-2320-4999-b330-4a90c682fd5e} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 1786104ad10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	21:42:45
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e265c5d-bf32-482b-a1cc-80247191915d} 6156 "\\.\pipe\gecko-crash-server-pipe.6156" 17860075f10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1738
Total number of Limit Nodes:	54

Executed Functions

Function 009142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0091430D

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

GetCurrentProcess.KERNEL32(?,009ACB64,00000000,?,?), ref: 00914422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00914429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00914454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00914466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00914474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0091447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009144A0

Strings

kernel32.dll, xrefs: 0091444F
|O, xrefs: 009536F8
GetNativeSystemInfo, xrefs: 00914460

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 59174b2b3e8b175201c2c7ecb44d0979816e8902a77670d40cfe6b728972c99c
Instruction ID: 8dbac7ff0bf77d9aed00edbe0b124db21a0bc9ab5a248b4b9eab696236b91aa8
Opcode Fuzzy Hash: 59174b2b3e8b175201c2c7ecb44d0979816e8902a77670d40cfe6b728972c99c
Instruction Fuzzy Hash: 64A1D671A3E2C4CFC711C7697CC16D97FE86B2A741B08A899E4419FA62D2344D88EB71

Function 009142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009150AA,?,?,00000000,00000000), ref: 009142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009150AA,?,?,00000000,00000000), ref: 009142C9
LoadResource.KERNEL32(?,00000000,?,?,009150AA,?,?,00000000,00000000,?,?,?,?,?,?,00914F20), ref: 009535BE
SizeofResource.KERNEL32(?,00000000,?,?,009150AA,?,?,00000000,00000000,?,?,?,?,?,?,00914F20), ref: 009535D3
LockResource.KERNEL32(009150AA,?,?,009150AA,?,?,00000000,00000000,?,?,?,?,?,?,00914F20,?), ref: 009535E6

Strings

SCRIPT, xrefs: 009142BF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 70cf2ec84d032aba1b70c54b0568cd535e491c5cb26e331c3e8207209e02f19c
Instruction ID: 8fb9ded0277207578b36d272ad5f20ebc232cb383fe3fbabb41bd6fb045cfe47
Opcode Fuzzy Hash: 70cf2ec84d032aba1b70c54b0568cd535e491c5cb26e331c3e8207209e02f19c
Instruction Fuzzy Hash: 46117CB0300704BFD7218B65DC48F677BBEEFCAB51F108569B8229A250DB71D8409660

Function 00952BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00912B6B

Part of subcall function 00913A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009E1418,?,00912E7F,?,?,?,00000000), ref: 00913A78

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,009D2224), ref: 00952C10
ShellExecuteW.SHELL32(00000000,?,?,009D2224), ref: 00952C17

Strings

runas, xrefs: 00952C0B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a261a1e29b79507bfc6da9b8704300bc4198f531e44a64fab8fd78da826e5bac
Instruction ID: dfde6272ace22e109ef1f35b947ecbd66755aacc78eef795826fb0f49d1d7bcc
Opcode Fuzzy Hash: a261a1e29b79507bfc6da9b8704300bc4198f531e44a64fab8fd78da826e5bac
Instruction Fuzzy Hash: 1211D23134C3496AC715FF20D851AFE77A89FD2310F44442DB192061A2DF308A8A9752

Function 0097D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0097D501
Process32FirstW.KERNEL32(00000000,?), ref: 0097D50F
Process32NextW.KERNEL32(00000000,?), ref: 0097D52F
CloseHandle.KERNEL32(00000000), ref: 0097D5DC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 21d9fe7a60f85a2f422af4b87cbd67acce7a8bfa0440690135c2569fd8078f5b
Instruction ID: 78408d8f5f8374f0c34f8bcf4456a84c7c31223a3bc6c68867acb101c8c8e16d
Opcode Fuzzy Hash: 21d9fe7a60f85a2f422af4b87cbd67acce7a8bfa0440690135c2569fd8078f5b
Instruction Fuzzy Hash: 0F31A2722083049FD301EF54C891BAFBBF8EFD9354F14492DF589861A1EB71A985CB92

Function 0097DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00955222), ref: 0097DBCE
GetFileAttributesW.KERNEL32(?), ref: 0097DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0097DBEE
FindClose.KERNEL32(00000000), ref: 0097DBFA

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: fdd5aa761573f73852f9cc981876e58f73cd9b61c67ad40f0fb93310bc16b063
Instruction ID: e4f39111d91b1a0b4e310ea0c9e087ca2f14cea5b25a827a1cc6184bfc5c9d4c
Opcode Fuzzy Hash: fdd5aa761573f73852f9cc981876e58f73cd9b61c67ad40f0fb93310bc16b063
Instruction Fuzzy Hash: 9AF02B728299105782216B7CEC0D8AA37BC9E03334B188702FCBAC20F0EFB09D54D6D5

Function 0096D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0096D220

Strings

%.3d, xrefs: 0096D22B
X64, xrefs: 0096D2A8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6df026113c53e0952a86686d257afdb3d9b1f517d6c9546466f3c3460bcb1618
Instruction ID: c6f4ca81ce94791e70abb4f750b009c57883e48972ff02610bda90a08f1256ba
Opcode Fuzzy Hash: 6df026113c53e0952a86686d257afdb3d9b1f517d6c9546466f3c3460bcb1618
Instruction Fuzzy Hash: 04D012A1D4A118E9CB9096D0EC559B9B37CAF48301F508863F836A1044E72CD508A761

Function 00934CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009428E9,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002,00000000,?,009428E9), ref: 00934D09
TerminateProcess.KERNEL32(00000000,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002,00000000,?,009428E9), ref: 00934D10
ExitProcess.KERNEL32 ref: 00934D22

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8c6ccaf0efb8537f7ca3d10051dfaf47f7e090751d4c73edf64001b505409e87
Instruction ID: 60c7011f2a22f4f49c79c33a1accd7156217dcbf43829161bc7b37d639217d07
Opcode Fuzzy Hash: 8c6ccaf0efb8537f7ca3d10051dfaf47f7e090751d4c73edf64001b505409e87
Instruction Fuzzy Hash: C1E0B671014148BBCF11AF64DD0AA593B69EF82785F118014FC199E172CB35FD42DF80

Function 0096D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0096D28C

Strings

X64, xrefs: 0096D2A8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5e710c8d6dd8a2e90cd1b5807beaac3747a0930dd68eda2c1c3e7aa43c1ef2a1
Instruction ID: 250deca1b3cf1ce4b6501df71f8a24874a3d093d60ace30b3c3ad026dc790704
Opcode Fuzzy Hash: 5e710c8d6dd8a2e90cd1b5807beaac3747a0930dd68eda2c1c3e7aa43c1ef2a1
Instruction Fuzzy Hash: 1DD0CAB481616DEACF90CBA0EC88DDAB3BCBF04305F100A92F106A2000DB3896489F20

Function 0099AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0099B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0099B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0099B1D4
_wcslen.LIBCMT ref: 0099B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0099B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0099B236
_wcslen.LIBCMT ref: 0099B332

Part of subcall function 009805A7: GetStdHandle.KERNEL32(000000F6), ref: 009805C6

_wcslen.LIBCMT ref: 0099B34B
_wcslen.LIBCMT ref: 0099B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0099B3B6
GetLastError.KERNEL32(00000000), ref: 0099B407
CloseHandle.KERNEL32(?), ref: 0099B439
CloseHandle.KERNEL32(00000000), ref: 0099B44A
CloseHandle.KERNEL32(00000000), ref: 0099B45C
CloseHandle.KERNEL32(00000000), ref: 0099B46E
CloseHandle.KERNEL32(?), ref: 0099B4E3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5251fa71e9e592174260a0daf866fe996cb9a3279264f013ef350eee64194d30
Instruction ID: 09fbe93ef56ec4d917b98346188e5b9e6f41d067d1e435d5bc24d5f405cddf71
Opcode Fuzzy Hash: 5251fa71e9e592174260a0daf866fe996cb9a3279264f013ef350eee64194d30
Instruction Fuzzy Hash: 94F1BE316083009FCB14EF28D991B6EBBE5AFC5710F14895DF8998B2A2DB35EC44CB52

Function 0091D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0091D807
timeGetTime.WINMM ref: 0091DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0091DB28
TranslateMessage.USER32(?), ref: 0091DB7B
DispatchMessageW.USER32(?), ref: 0091DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0091DB9F
Sleep.KERNEL32(0000000A), ref: 0091DBB1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d03243b46561edf9db70d487a05213a35cf193a7f11ebcaed6ba40185c48e07c
Instruction ID: af4022b48618a324012f764954c870abbb32de1ee41a7b9e102031f804de648e
Opcode Fuzzy Hash: d03243b46561edf9db70d487a05213a35cf193a7f11ebcaed6ba40185c48e07c
Instruction Fuzzy Hash: 9842F370709745DFD728CF24C894BAAB7E8BF86304F14895DF4A68B291D774E884DB82

Function 00912CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00912D07
RegisterClassExW.USER32(00000030), ref: 00912D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00912D42
InitCommonControlsEx.COMCTL32(?), ref: 00912D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00912D6F
LoadIconW.USER32(000000A9), ref: 00912D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00912D94

Strings

TaskbarCreated, xrefs: 00912D37
0, xrefs: 00912CE9
+, xrefs: 00912CF0
AutoIt v3 GUI, xrefs: 00912D23

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1c1c546acabb9e6d4da779f7b17e74854a8fcff29bfc5e6c13ef8eb24935484b
Instruction ID: 87ba026ca74bef6207db06b0393bbc7c81b0ce647ce7db0e92293fbbf19d0476
Opcode Fuzzy Hash: 1c1c546acabb9e6d4da779f7b17e74854a8fcff29bfc5e6c13ef8eb24935484b
Instruction Fuzzy Hash: 8A21C4B5925358EFDB00DFA4EC89BDDBBB4FB09700F00811AF511AA2A0D7B54944EF91

Function 0095065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0095039A: CreateFileW.KERNEL32(00000000,00000000,?,00950704,?,?,00000000,?,00950704,00000000,0000000C), ref: 009503B7

GetLastError.KERNEL32 ref: 0095076F
__dosmaperr.LIBCMT ref: 00950776
GetFileType.KERNEL32(00000000), ref: 00950782
GetLastError.KERNEL32 ref: 0095078C
__dosmaperr.LIBCMT ref: 00950795
CloseHandle.KERNEL32(00000000), ref: 009507B5
CloseHandle.KERNEL32(?), ref: 009508FF
GetLastError.KERNEL32 ref: 00950931
__dosmaperr.LIBCMT ref: 00950938

Strings

H, xrefs: 009508BD

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 35fd16e257a949438aa6f9839b89d41b045be0d1d18effcf2951704591c86e3d
Instruction ID: 784d94e489dfca7fca0c81c34ccf53cfbff0a044bb375c9f37cfb70244903f0b
Opcode Fuzzy Hash: 35fd16e257a949438aa6f9839b89d41b045be0d1d18effcf2951704591c86e3d
Instruction Fuzzy Hash: 99A13432A141448FDF19EF68DC92BAE3BA4AB8A321F140159FC119F392DB319C16DB91

Function 0091344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00913A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009E1418,?,00912E7F,?,?,?,00000000), ref: 00913A78

Part of subcall function 00913357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00913379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0091356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0095318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009531CE
RegCloseKey.ADVAPI32(?), ref: 00953210
_wcslen.LIBCMT ref: 00953277
_wcslen.LIBCMT ref: 00953286

Strings

Include, xrefs: 00953184, 009531C5
\, xrefs: 0095328C
\Include\, xrefs: 00913527
Software\AutoIt v3\AutoIt, xrefs: 00913560

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: af4e68a0b631cc9380360584af5b1aab3c4726acf0c16e6bd276928ceb1aeaa8
Instruction ID: 43e2d279d43f75d962390396e4265732f909c8cc3968e19b226854b0174b5998
Opcode Fuzzy Hash: af4e68a0b631cc9380360584af5b1aab3c4726acf0c16e6bd276928ceb1aeaa8
Instruction Fuzzy Hash: 94719FB15183449EC314EF25DC82AABBBECFF85B40F40542EF5558B160EB749A88DFA1

Function 00912B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00912B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00912B9D
LoadIconW.USER32(00000063), ref: 00912BB3
LoadIconW.USER32(000000A4), ref: 00912BC5
LoadIconW.USER32(000000A2), ref: 00912BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00912BEF
RegisterClassExW.USER32(?), ref: 00912C40

Part of subcall function 00912CD4: GetSysColorBrush.USER32(0000000F), ref: 00912D07
Part of subcall function 00912CD4: RegisterClassExW.USER32(00000030), ref: 00912D31
Part of subcall function 00912CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00912D42
Part of subcall function 00912CD4: InitCommonControlsEx.COMCTL32(?), ref: 00912D5F
Part of subcall function 00912CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00912D6F
Part of subcall function 00912CD4: LoadIconW.USER32(000000A9), ref: 00912D85
Part of subcall function 00912CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00912D94

Strings

AutoIt v3, xrefs: 00912C2F
0, xrefs: 00912C0F
#, xrefs: 00912C16

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 7642ad882d3a28affcc7655aea4d67ec3c1afb67fcda2bb3b72531919f54239a
Instruction ID: 5deb61bc791acafea1be80e090040baa1d257ec478e13b12651c49d75419da83
Opcode Fuzzy Hash: 7642ad882d3a28affcc7655aea4d67ec3c1afb67fcda2bb3b72531919f54239a
Instruction Fuzzy Hash: EB211AB4E28358AFDB109FA5EC95AAD7FB4FB48B50F00501AF500AA7A0D7B15940EF90

Function 00913170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0091316A,?,?), ref: 009131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0091316A,?,?), ref: 00913204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00913227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0091316A,?,?), ref: 00913232
CreatePopupMenu.USER32 ref: 00913246
PostQuitMessage.USER32(00000000), ref: 00913267

Strings

TaskbarCreated, xrefs: 0091322D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9ca57ca0cd8c6ec14d58958d4c1c4298ceb4960aee7ab8f4865542920f035d33
Instruction ID: 6b9dd23828c616c5a908191a7a965500029d2d6ebb1da9212f087be7bf697cfe
Opcode Fuzzy Hash: 9ca57ca0cd8c6ec14d58958d4c1c4298ceb4960aee7ab8f4865542920f035d33
Instruction Fuzzy Hash: 7241273135824CBBDF256B789D4DBFD367DEB46340F048525F9128A2A2CB758EC0A7A1

Function 00911410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00911459
CoUninitialize.COMBASE ref: 009114F8
UnregisterHotKey.USER32(?), ref: 009116DD
DestroyWindow.USER32(?), ref: 009524B9
FreeLibrary.KERNEL32(?), ref: 0095251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0095254B

Strings

close all, xrefs: 00911454

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 456666dd93bc4b174ccd1d694bf2c69ab6c415a4128ed9e14d6af4a1122ee065
Instruction ID: 26e78f35de3a6ba46b9e106c60fb92986886438b337132ca0144b0380013bdca
Opcode Fuzzy Hash: 456666dd93bc4b174ccd1d694bf2c69ab6c415a4128ed9e14d6af4a1122ee065
Instruction Fuzzy Hash: F4D1AC31702222DFCB29EF15C899B69F7A4BF46701F1441ADE94A6B261DB30EC56CF90

Function 0097DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0097DE42
gethostname.WS2_32(?,00000100), ref: 0097DE5C
gethostbyname.WS2_32(?), ref: 0097DE69
inet_ntoa.WSOCK32(?), ref: 0097DEAB
_strcat.LIBCMT ref: 0097DEB9
WSACleanup.WSOCK32 ref: 0097DEDE

Strings

0.0.0.0, xrefs: 0097DE87

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: d1c66c5f5ecff3376ca3f828b3295c5bec1774862cec7561a136e4b1c42a379a
Instruction ID: 07ac944851a4a2cd66a94ca83a4c9fe75f538946664bf91732f7a793503144f5
Opcode Fuzzy Hash: d1c66c5f5ecff3376ca3f828b3295c5bec1774862cec7561a136e4b1c42a379a
Instruction Fuzzy Hash: 06115972904114AFDB21AB30DC0AFEF77BCEF95710F014169F0499A091EF749E809E90

Function 00912C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00912C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00912CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00911CAD,?), ref: 00912CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00911CAD,?), ref: 00912CCF

Strings

AutoIt v3, xrefs: 00912C89, 00912C8E, 00912C8F
edit, xrefs: 00912CAC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f7e9c2baec7e5a501ae6cc969d546dd570eaa99979e420d6fe05a9d88534bfc6
Instruction ID: a834c12fb2b53082859d3668b39d24f1cee0e73306a11a16e413886f669970b5
Opcode Fuzzy Hash: f7e9c2baec7e5a501ae6cc969d546dd570eaa99979e420d6fe05a9d88534bfc6
Instruction Fuzzy Hash: 66F0DAB55682D07AEB311717AC88E772EBDD7C7F50B00105AF900AA5A0C6715C51EAB0

Function 00913B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00913B0F,SwapMouseButtons,00000004,?), ref: 00913B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00913B0F,SwapMouseButtons,00000004,?), ref: 00913B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00913B0F,SwapMouseButtons,00000004,?), ref: 00913B83

Strings

Control Panel\Mouse, xrefs: 00913B3E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 126cadd3ab1c0b049bae39bdaf1220d28a6604071df05e938914390004f22ed6
Instruction ID: 5150490f7ccea34305433cfee9a407e0c97b8527797c890154b7e8de6de22d1d
Opcode Fuzzy Hash: 126cadd3ab1c0b049bae39bdaf1220d28a6604071df05e938914390004f22ed6
Instruction Fuzzy Hash: E0112AB5664219FFDF208FA5DC44AFFB7BCEF05744B108959A805D7110E2319E80ABA0

Function 0091DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009632B7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9f32533dc5f822e393b4fbe95405c6184d625284670a60d740378763248aa2aa
Instruction ID: 375ed6579394e789af6e63ead4c400789c0e1f4c9cbfc9312cf583d4b17f31d4
Opcode Fuzzy Hash: 9f32533dc5f822e393b4fbe95405c6184d625284670a60d740378763248aa2aa
Instruction Fuzzy Hash: 9EC29871A04219CFCB24CF98C890BADB7B5BF48310F248569ED56AB391D375ED82CB91

Function 0091EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0091FE66

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 2882003aa05dc3f5699e90409a906f79c1dd1befb70a76e936035b271c0d95ad
Instruction ID: 72488ba4c6f648ba55af9f430ac8a7323beed1a2c9616e4e18eaa21fc1d05a68
Opcode Fuzzy Hash: 2882003aa05dc3f5699e90409a906f79c1dd1befb70a76e936035b271c0d95ad
Instruction Fuzzy Hash: 71B27974608349CFDB24CF14D4A0AAAB7E5BF89300F24496DF8968B391D775EC81DB92

Function 00913923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009533A2

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00913A04

Strings

Line: , xrefs: 009533EB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 6a1466b545aa29351991dd8425416867f0bb613018972a5b9f5dadda966c9866
Instruction ID: 16236a90b6192eb7ef9ff4af00e6726aee29ca1eaaf12fc0968042db422db002
Opcode Fuzzy Hash: 6a1466b545aa29351991dd8425416867f0bb613018972a5b9f5dadda966c9866
Instruction Fuzzy Hash: 9F31D671608348AAD325EB20DC45BEFB7ECAF84710F00891AF59993191DB749A89C7C2

Function 0092FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00930668

Part of subcall function 009332A4: RaiseException.KERNEL32(?,?,?,0093068A,?,009E1444,?,?,?,?,?,?,0093068A,00911129,009D8738,00911129), ref: 00933304

__CxxThrowException@8.LIBVCRUNTIME ref: 00930685

Strings

Unknown exception, xrefs: 00930692

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 918628464eeb129d06960273ef5a37a0137754bc5690f3ab292a713440aad1d6
Instruction ID: a5b34a201c9575550e43957c81cb53f29877ae5ae773fe494f236b037d5f4d6f
Opcode Fuzzy Hash: 918628464eeb129d06960273ef5a37a0137754bc5690f3ab292a713440aad1d6
Instruction Fuzzy Hash: B9F0C23490020D77CB00B6A5E866E9E777C9EC0314F608631B824D65DAEF71EA65CDC1

Function 009110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00911BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00911BF4
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00911BFC
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00911C07
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00911C12
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00911C1A
Part of subcall function 00911BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00911C22

Part of subcall function 00911B4A: RegisterWindowMessageW.USER32(00000004,?,009112C4), ref: 00911BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0091136A
OleInitialize.OLE32 ref: 00911388
CloseHandle.KERNEL32(00000000,00000000), ref: 009524AB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: faa532293b119cac45245c36592c4e3d11da636b33d432461b0b66b195185d6f
Instruction ID: 955a8e267fc072f6c11e9c9dc4dc882b57bd5b536beea8176ab2637c0eade5a4
Opcode Fuzzy Hash: faa532293b119cac45245c36592c4e3d11da636b33d432461b0b66b195185d6f
Instruction Fuzzy Hash: 357190B4A293849FC795DF7AA9856993AE0BBC9344354412AE11ACF371FB304C81EF45

Function 0097C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00913923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00913A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0097C259
KillTimer.USER32(?,00000001,?,?), ref: 0097C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0097C270

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 459f171b0915c7685d9fbcd1bcf0a15aebc6cf56d9a36f67b8bd86a209b57f70
Instruction ID: 1f83f5fb196500ff559740565f7c3f5b175c6701470682cd907b4b6ffacecb65
Opcode Fuzzy Hash: 459f171b0915c7685d9fbcd1bcf0a15aebc6cf56d9a36f67b8bd86a209b57f70
Instruction Fuzzy Hash: 2E3195B1904344AFEB22DF649895BE7BBEC9F06704F00449DD6EE97242C774AA84CB51

Function 009486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,009485CC,?,009D8CC8,0000000C), ref: 00948704
GetLastError.KERNEL32(?,009485CC,?,009D8CC8,0000000C), ref: 0094870E
__dosmaperr.LIBCMT ref: 00948739

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: f447293ca66be7ca64035d909e805bbee24d6d89917663f46648de66fe7efbda
Instruction ID: 7ae6348c13907d8fbc94cb16a3413666e1c2d51d36dc9049462052b43c71e1b2
Opcode Fuzzy Hash: f447293ca66be7ca64035d909e805bbee24d6d89917663f46648de66fe7efbda
Instruction Fuzzy Hash: 52018933A0826067D6B56774A899F7F2B4D4BC2B78F3B0119F8188F1D3DEA1CC819290

Function 0091DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0091DB7B
DispatchMessageW.USER32(?), ref: 0091DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0091DB9F
Sleep.KERNEL32(0000000A), ref: 0091DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00961CC9

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 2acf028a949c0c201443bcc55e3f8127535aa889c7cd3b8eac7289eb97627ff4
Instruction ID: 557e74e82ea2420a3a7990d0745f29a1ad3068723737e4b9da5143f263f70dbd
Opcode Fuzzy Hash: 2acf028a949c0c201443bcc55e3f8127535aa889c7cd3b8eac7289eb97627ff4
Instruction Fuzzy Hash: E7F05E706593849BE730CB608C89FEA73ACEF85310F104919F64A870C0DB34A4889B65

Function 00921310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009217F6

Strings

CALL, xrefs: 009217C6

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 51b7a72d5911b298117b27c726006fcf0610a4fba2554e2902e9f4adaaddd857
Instruction ID: 6be09a67ff695448c14a6ef3a0ea65725506b1c45e79628f908a17766c37b72f
Opcode Fuzzy Hash: 51b7a72d5911b298117b27c726006fcf0610a4fba2554e2902e9f4adaaddd857
Instruction Fuzzy Hash: 8D22A8706082519FC714DF14E490B2ABBF5BFD9314F24896DF48A8B3A6D735E851CB82

Function 009201E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25de92df071c33ef8330566e16cf81fb22628e76c04f981ad4cad70d06de4b63
Instruction ID: 431710fe5c4b331b54ef7c83c76760d6f017b30c252e5302cc50e61036f02281
Opcode Fuzzy Hash: 25de92df071c33ef8330566e16cf81fb22628e76c04f981ad4cad70d06de4b63
Instruction Fuzzy Hash: 2E320630A00614DFCF24DF54D895BAEB7B5BF84310F158969F826AB2A6D731ED80CB91

Function 00912DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00952C8C

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

Part of subcall function 00912DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00912DC4

Strings

X, xrefs: 00952C5A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 777c2d94dcd5b81d5cbf7d4954017800eeeb180bc2f421525e776c422844f391
Instruction ID: 9c948462994429480e59af38958dfcca0658bbfb3a62886d33130562760f4657
Opcode Fuzzy Hash: 777c2d94dcd5b81d5cbf7d4954017800eeeb180bc2f421525e776c422844f391
Instruction Fuzzy Hash: EB21D570B1025C9FCF01EF94C845BEE7BFCAF89304F00805AE405AB241DBB85A898FA1

Function 0096D3A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0096D3E5

Strings

X64, xrefs: 0096D2A8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: X64
API String ID: 3664257935-893830106
Opcode ID: d68b0997e4eea77ffb798592325e66905268ccfadc252f94f4ba8dc9bfc63ea8
Instruction ID: e503f3a5976ef1361e39f8eddf418e05cfe26e439d2257aad0dba8560adbcc1b
Opcode Fuzzy Hash: d68b0997e4eea77ffb798592325e66905268ccfadc252f94f4ba8dc9bfc63ea8
Instruction Fuzzy Hash: C1F028B1E4F391CAD73092104860EAD37A49F01300F698D8AE1329A146EB68D844D2C3

Function 0096D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0096D375

Strings

X64, xrefs: 0096D2A8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: fb15f97f1c6527fae1ee9a698b99abc6a3b3a5a9ee32d35e4f485585fcc2c6ee
Instruction ID: aea5b937ae796617b0eb99bcbafa3c77d2caceefba668f27cb72d356e4a89247
Opcode Fuzzy Hash: fb15f97f1c6527fae1ee9a698b99abc6a3b3a5a9ee32d35e4f485585fcc2c6ee
Instruction Fuzzy Hash: 76D0C9F5816168EACB90CB80DC88DDDB3BCBF04301F504952F012A2000DB7895489B10

Function 00913837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00913908

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: bef9f1446f6e7c739e0dc188ae5cd297d8b05709e9165ad305255f9cd7f7b906
Instruction ID: 420ef60370bdda0d844394dc9b29dcc7a924d570c582ac632457a0f304f1fb8f
Opcode Fuzzy Hash: bef9f1446f6e7c739e0dc188ae5cd297d8b05709e9165ad305255f9cd7f7b906
Instruction Fuzzy Hash: 43318EB06183059FD721DF24D8847D7BBF8FB89708F00096EF99A97250E771AA84DB52

Function 0092F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0092F661

Part of subcall function 0091D730: GetInputState.USER32 ref: 0091D807

Sleep.KERNEL32(00000000), ref: 0096F2DE

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 05370d358953490acd1a47f645ba474c4213a5d1424f4e89e6ab8b538de8c1e6
Instruction ID: 0ce140e059a54fd6c998e8b2fb80f5230eb1e522b6dbafbf469eef6885b74a8c
Opcode Fuzzy Hash: 05370d358953490acd1a47f645ba474c4213a5d1424f4e89e6ab8b538de8c1e6
Instruction Fuzzy Hash: FEF08C713442199FD310EF69E459BAAB7E9EF86761F000029F859CB2A0EB70A840CF90

Function 00914ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00914E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E9C
Part of subcall function 00914E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00914EAE
Part of subcall function 00914E90: FreeLibrary.KERNEL32(00000000,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914EFD

Part of subcall function 00914E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E62
Part of subcall function 00914E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00914E74
Part of subcall function 00914E59: FreeLibrary.KERNEL32(00000000,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E87

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 59f00213ca330a4baef8541dc9361904fe560e33ee2d12f09dc050ad9615bbdd
Instruction ID: 694eda9e6e24e4a4e94d6d267006702e5dab2758360437f8214571fdde984bd8
Opcode Fuzzy Hash: 59f00213ca330a4baef8541dc9361904fe560e33ee2d12f09dc050ad9615bbdd
Instruction Fuzzy Hash: 8B11C132710209AADF15EB60D802BED77A5AFC8711F108429F542AA3C1EE759A85DB90

Function 00948402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00948440

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ff3bf4939bf0142e565d0a995d6d5ee2b0eaf5bea6e9cf2760dff2dd3cc09b57
Instruction ID: 9a073da3e714f41afbacbe15a02a6351599e5819dd7eabb2550f0b22fe5cc9ce
Opcode Fuzzy Hash: ff3bf4939bf0142e565d0a995d6d5ee2b0eaf5bea6e9cf2760dff2dd3cc09b57
Instruction Fuzzy Hash: 1E11067590410AAFCB05DF58E941E9F7BF9EF48314F144059FC08AB312DA31DA118BA5

Function 00945000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00944C7D: RtlAllocateHeap.NTDLL(00000008,00911129,00000000,?,00942E29,00000001,00000364,?,?,?,0093F2DE,00943863,009E1444,?,0092FDF5,?), ref: 00944CBE

_free.LIBCMT ref: 0094506C

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 26bceae615b22631250190a564bc6578e4a44a1c0996445d4b83e85567bc3918
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 4A0126762047056BE3218F659881E9AFBEDFB89370F66051DE18893281EA30A805C7B4

Function 0093E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 83e8672462126561863d05457dc915b11188b189ef48df00d4d9859ca958bd59
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 5AF0C832511A1497D7313A6A9C16F9B379C9FD2339F100B19F825971D2DB74E8018EA5

Function 00944C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00911129,00000000,?,00942E29,00000001,00000364,?,?,?,0093F2DE,00943863,009E1444,?,0092FDF5,?), ref: 00944CBE

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a917787026b57eddf9ad3a99b98275df4274a636dee392695df5f0dd0a856b8b
Instruction ID: e969eb7fd218f62aff7349cb02059e939d45fb161d251f975a2f7b9c4406bf40
Opcode Fuzzy Hash: a917787026b57eddf9ad3a99b98275df4274a636dee392695df5f0dd0a856b8b
Instruction Fuzzy Hash: EFF0E931646224A7DB215F62AC85FDB378CBF817A3F1D8111BC95AA190CA30DC005AE0

Function 00943820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e02a0f7f8e3eb6efb65b0de938d0b17a21e8e9a39a01ca02dc75f8a627a30fe0
Instruction ID: f85951fc19a5697eda947f0e3e9bc27669b4e35e2f6d0fcdf307dd6c6e71b3c2
Opcode Fuzzy Hash: e02a0f7f8e3eb6efb65b0de938d0b17a21e8e9a39a01ca02dc75f8a627a30fe0
Instruction Fuzzy Hash: D6E02231204224A6E7312AB79C00F9BB75DAF827B0F0A8020BC1596B90DB21EE018AE1

Function 00914F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914F6D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bb65ef64013742783e62e1ebed553ebe186f03a6281aa93eaf505317638cd935
Instruction ID: 82c276b9d5f5284002927f27788436e9b6cfd1c5005330300c311b58f81b69af
Opcode Fuzzy Hash: bb65ef64013742783e62e1ebed553ebe186f03a6281aa93eaf505317638cd935
Instruction Fuzzy Hash: 99F0A070205305CFCB348F20D490892B7E4EF083193108D7EE1DA86710C7319885DF40

Function 009A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009A2A66

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1666a866bc192f1628bd2a4b2b260491c2f4ffb1c05b33cbabfafe70ca58be82
Instruction ID: 3852b4019435fd67638a67cdb9bff50825672c46685d71b5718fcff5661742ed
Opcode Fuzzy Hash: 1666a866bc192f1628bd2a4b2b260491c2f4ffb1c05b33cbabfafe70ca58be82
Instruction Fuzzy Hash: 36E02632354216AEC710FB34DC80AFE734CEF91390B008836FC2AC2140DF34999192E0

Function 009130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0091314E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1be9694f6a046f3061989b2a14c0ce83460754077487e762c423d1390ae60760
Instruction ID: 582d25140d1b610034de0415627d82309eacd3cf6d0ec40f00f12976c2dc49a2
Opcode Fuzzy Hash: 1be9694f6a046f3061989b2a14c0ce83460754077487e762c423d1390ae60760
Instruction Fuzzy Hash: A0F03770A183589FEB52DB24DC857D67BFCAB05708F0000E5A5489A591D7745BC8CF51

Function 00912DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00912DC4

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 14c9509782f6ec60cb7cd048bc80b776d0b3dce13e1c73cc4d2044be265527b3
Instruction ID: 4a27a9832b70684ba39664f2bdf2a6a96e5848bfc98ad2aa7c4d08bc7493956b
Opcode Fuzzy Hash: 14c9509782f6ec60cb7cd048bc80b776d0b3dce13e1c73cc4d2044be265527b3
Instruction Fuzzy Hash: 45E0CD72A041245BC710D2589C05FEA77DDDFC8790F050071FD09D7248DA60ED848690

Function 00912B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00913837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00913908

Part of subcall function 0091D730: GetInputState.USER32 ref: 0091D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00912B6B

Part of subcall function 009130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0091314E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: cf90cf90d481773cf2380eddc4822736142564b91eb03cdc53e3634d0fc2fb10
Instruction ID: 67313eb72b3bf011a4cf2115519f2ab7265350e8d41f185e1c68505522d488b5
Opcode Fuzzy Hash: cf90cf90d481773cf2380eddc4822736142564b91eb03cdc53e3634d0fc2fb10
Instruction Fuzzy Hash: C5E0263130824C03CA04BB30A8526FDA3A98BD2311F40443EF142872F3DE2089C54352

Function 0097DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0097DF40

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: d5992ec70c016ec623dc54a56e9f735496819d9ab7d7931c28612f1b692a5497
Instruction ID: f80ecffc2cebe9bda5e85ab099200ed8e410da399490e5b1b2d6072c2e8a5241
Opcode Fuzzy Hash: d5992ec70c016ec623dc54a56e9f735496819d9ab7d7931c28612f1b692a5497
Instruction Fuzzy Hash: 3FD05EE2A042282BDF60A6749C0DDF73AACCB84210F0006A0786DD3152E920DD8486F0

Function 0095039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00950704,?,?,00000000,?,00950704,00000000,0000000C), ref: 009503B7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8af11b18e6c283d789909ef24ba41ad523c0ddf5aa3929e37cae61bdb888381e
Instruction ID: fbe23f113d5872e3cdf7cb2cca29234dceeac0c7642575f604ccbc78db7c231f
Opcode Fuzzy Hash: 8af11b18e6c283d789909ef24ba41ad523c0ddf5aa3929e37cae61bdb888381e
Instruction Fuzzy Hash: 3FD06C3215410DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Function 00911CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00911CBC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 49423b7821e7ba93924ada2378272e931ac04500ffe1a7bb48f2a98140465300
Instruction ID: bb592531dc52478c63d21f13ca2f5014715ac7af9cb0b92499cccaabb05c9967
Opcode Fuzzy Hash: 49423b7821e7ba93924ada2378272e931ac04500ffe1a7bb48f2a98140465300
Instruction Fuzzy Hash: BAC09B3529C3449FF3144780BD8AF107754A748B00F445001F6095D5E3C7B15C10F690

Non-executed Functions

Function 009A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 009A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009A96C9
SendMessageW.USER32 ref: 009A96F2
GetKeyState.USER32(00000011), ref: 009A978B
GetKeyState.USER32(00000009), ref: 009A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009A97AE
GetKeyState.USER32(00000010), ref: 009A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009A97E9
SendMessageW.USER32 ref: 009A9810
SendMessageW.USER32(?,00001030,?,009A7E95), ref: 009A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009A9941
SetCapture.USER32(?), ref: 009A994A
ClientToScreen.USER32(?,?), ref: 009A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009A99D6
ReleaseCapture.USER32 ref: 009A99E1
GetCursorPos.USER32(?), ref: 009A9A19
ScreenToClient.USER32(?,?), ref: 009A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 009A9A80
SendMessageW.USER32 ref: 009A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 009A9AEB
SendMessageW.USER32 ref: 009A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 009A9B4A
GetCursorPos.USER32(?), ref: 009A9B68
ScreenToClient.USER32(?,?), ref: 009A9B75
GetParent.USER32(?), ref: 009A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 009A9BFA
SendMessageW.USER32 ref: 009A9C2B
ClientToScreen.USER32(?,?), ref: 009A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 009A9CDE
SendMessageW.USER32 ref: 009A9D01
ClientToScreen.USER32(?,?), ref: 009A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009A9D82

Part of subcall function 00929944: GetWindowLongW.USER32(?,000000EB), ref: 00929952

GetWindowLongW.USER32(?,000000F0), ref: 009A9E05

Strings

@GUI_DRAGID, xrefs: 009A997D
F, xrefs: 009A9D07

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 16ba4ff0441f3b8e007a4aafbba39c00278c05645728edb651376d583c22cd49
Instruction ID: 330c54c9492a26a13476239d16835b4b6b06c48c94d5197d8308cab4c5c49241
Opcode Fuzzy Hash: 16ba4ff0441f3b8e007a4aafbba39c00278c05645728edb651376d583c22cd49
Instruction Fuzzy Hash: 1D427F74608241AFD725CF24CC84BAABBE9FF8A314F144619F6998B2A1D731EC50DF91

Function 009A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 009A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 009A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 009A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 009A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 009A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 009A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 009A4A7E
IsMenu.USER32(?), ref: 009A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009A4B20
GetWindowLongW.USER32(?,000000F0), ref: 009A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 009A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 009A4C82
wsprintfW.USER32 ref: 009A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 009A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 009A4D5A

Strings

%d/%02d/%02d, xrefs: 009A4CA8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: d493d1c5a1b659abf7796e8fa4a00fe978784b9cdc04a1e034115794179c7579
Instruction ID: 67b593611462b5653242f08078831618a514a091ffa8c5202226686bc1293349
Opcode Fuzzy Hash: d493d1c5a1b659abf7796e8fa4a00fe978784b9cdc04a1e034115794179c7579
Instruction Fuzzy Hash: 1C12E271600255AFEB258F28DC49FAE7BF8EF86710F104529F516EB2E1DBB49940CB90

Function 0092F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0092F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0096F474
IsIconic.USER32(00000000), ref: 0096F47D
ShowWindow.USER32(00000000,00000009), ref: 0096F48A
SetForegroundWindow.USER32(00000000), ref: 0096F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0096F4AA
GetCurrentThreadId.KERNEL32 ref: 0096F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0096F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0096F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0096F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0096F4DE
SetForegroundWindow.USER32(00000000), ref: 0096F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F4F6
keybd_event.USER32(00000012,00000000), ref: 0096F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F50B
keybd_event.USER32(00000012,00000000), ref: 0096F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F519
keybd_event.USER32(00000012,00000000), ref: 0096F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0096F528
keybd_event.USER32(00000012,00000000), ref: 0096F52D
SetForegroundWindow.USER32(00000000), ref: 0096F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0096F557

Strings

Shell_TrayWnd, xrefs: 0096F46F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1afa3e4514dfff70f53f87933ad57a4af02f8dff5271323096e051820a178d9f
Instruction ID: 669d56e53366ad6b076a6a95815da525c28efdb50de93faabada8c81416e0a8f
Opcode Fuzzy Hash: 1afa3e4514dfff70f53f87933ad57a4af02f8dff5271323096e051820a178d9f
Instruction Fuzzy Hash: 863132B1A54218BFEB216BB55C4AFBF7E6CEF45B50F100465FA01EA1D1CAB15D00BAA0

Function 00971201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0097170D
Part of subcall function 009716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0097173A
Part of subcall function 009716C3: GetLastError.KERNEL32 ref: 0097174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00971286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009712A8
CloseHandle.KERNEL32(?), ref: 009712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009712D1
GetProcessWindowStation.USER32 ref: 009712EA
SetProcessWindowStation.USER32(00000000), ref: 009712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00971310

Part of subcall function 009710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009711FC), ref: 009710D4
Part of subcall function 009710BF: CloseHandle.KERNEL32(?,?,009711FC), ref: 009710E9

Strings

, xrefs: 0097125A
default, xrefs: 0097130B
winsta0, xrefs: 009712CC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 02e39e353cb3b126d695513b8d25895f5f59d388687e14ce2080a52cac056b38
Instruction ID: 7c77cdc56e9c7ad69e0fa346bcda07d2ee24c96a827bedc29b0b04d17f642f8b
Opcode Fuzzy Hash: 02e39e353cb3b126d695513b8d25895f5f59d388687e14ce2080a52cac056b38
Instruction Fuzzy Hash: 1281ADB2900209AFDF219FA8DC49FEE7BBDEF45704F148129F918E62A0D7308944DB64

Function 00970B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00971114
Part of subcall function 009710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971120
Part of subcall function 009710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 0097112F
Part of subcall function 009710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971136
Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0097114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00970BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00970C00
GetLengthSid.ADVAPI32(?), ref: 00970C17
GetAce.ADVAPI32(?,00000000,?), ref: 00970C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00970C6D
GetLengthSid.ADVAPI32(?), ref: 00970C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00970C8C
HeapAlloc.KERNEL32(00000000), ref: 00970C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00970CB4
CopySid.ADVAPI32(00000000), ref: 00970CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00970CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00970D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00970D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970D45
HeapFree.KERNEL32(00000000), ref: 00970D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970D55
HeapFree.KERNEL32(00000000), ref: 00970D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970D65
HeapFree.KERNEL32(00000000), ref: 00970D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00970D78
HeapFree.KERNEL32(00000000), ref: 00970D7F

Part of subcall function 00971193: GetProcessHeap.KERNEL32(00000008,00970BB1,?,00000000,?,00970BB1,?), ref: 009711A1
Part of subcall function 00971193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00970BB1,?), ref: 009711A8
Part of subcall function 00971193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00970BB1,?), ref: 009711B7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9c40b4a1197fa13e71dd023a204cc880ae9d9d6d61e96aa363dd1773bacbca12
Instruction ID: fb2db6000c31e59f406029a6605bb284478772e6881e357e8c2e63dc1e352351
Opcode Fuzzy Hash: 9c40b4a1197fa13e71dd023a204cc880ae9d9d6d61e96aa363dd1773bacbca12
Instruction Fuzzy Hash: B4715CB2A0431AEBDF10DFA4DC45BAEBBBCBF45300F048515E919AB291D771A905CBA0

Function 0098EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009ACC08), ref: 0098EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0098EB37
GetClipboardData.USER32(0000000D), ref: 0098EB43
CloseClipboard.USER32 ref: 0098EB4F
GlobalLock.KERNEL32(00000000), ref: 0098EB87
CloseClipboard.USER32 ref: 0098EB91
GlobalUnlock.KERNEL32(00000000), ref: 0098EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0098EBC9
GetClipboardData.USER32(00000001), ref: 0098EBD1
GlobalLock.KERNEL32(00000000), ref: 0098EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0098EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0098EC38
GetClipboardData.USER32(0000000F), ref: 0098EC44
GlobalLock.KERNEL32(00000000), ref: 0098EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0098EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0098EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0098ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0098ECF3
CountClipboardFormats.USER32 ref: 0098ED14
CloseClipboard.USER32 ref: 0098ED59

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 26c3d6d2205e544ece4bc14c617f9fc88eb114ee65e190846edb91cbf292f01a
Instruction ID: 36d7a9abeca1aa40d4da6bee1c04f2a1693f3fd01c3859356c580e4c56112e02
Opcode Fuzzy Hash: 26c3d6d2205e544ece4bc14c617f9fc88eb114ee65e190846edb91cbf292f01a
Instruction Fuzzy Hash: 1761DF742082069FD300EF24C8A4F6AB7E8EF85714F14455DF8569B3A2DB31DD49DBA2

Function 0098698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009869BE
FindClose.KERNEL32(00000000), ref: 00986A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00986A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00986A75

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00986AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00986ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00986B32
%4d%02d%02d%02d%02d%02d, xrefs: 00986B6A
%02d, xrefs: 00986C00, 00986C0A, 00986C5A, 00986CAA, 00986CFA, 00986D4A
%03d, xrefs: 00986DA2
%4d, xrefs: 00986BB1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a83ac114f8761d7fe718e92ca093530316a427b511d91cf2cb20123853bc1639
Instruction ID: 3193dd75dfec70cd02873d7ad2897f0b782c64b19cbb178360bf81c8b0ac6f22
Opcode Fuzzy Hash: a83ac114f8761d7fe718e92ca093530316a427b511d91cf2cb20123853bc1639
Instruction Fuzzy Hash: 4FD151B1508304AEC714EBA4D991EABB7ECAFC8704F44491DF589C7291EB74DA44CB62

Function 00989642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00989663
GetFileAttributesW.KERNEL32(?), ref: 009896A1
SetFileAttributesW.KERNEL32(?,?), ref: 009896BB
FindNextFileW.KERNEL32(00000000,?), ref: 009896D3
FindClose.KERNEL32(00000000), ref: 009896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0098974A
SetCurrentDirectoryW.KERNEL32(009D6B7C), ref: 00989768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00989772
FindClose.KERNEL32(00000000), ref: 0098977F
FindClose.KERNEL32(00000000), ref: 0098978F

Strings

*.*, xrefs: 009896F5

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b92b008d2cbc81bf673e618070a32f7fba3aa0aa26b82b6d448fb1ab24a4c9b3
Instruction ID: 73eb14d3bfbe46630e244246522c1e4d56a5b11182efad3dbe957a0f2ff77fff
Opcode Fuzzy Hash: b92b008d2cbc81bf673e618070a32f7fba3aa0aa26b82b6d448fb1ab24a4c9b3
Instruction Fuzzy Hash: 1331E2725442197EDF10EFB4DC08AEE77ACAF8A320F184156F815E62A0EB34DE408F94

Function 0098979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00989819
FindClose.KERNEL32(00000000), ref: 00989824
FindFirstFileW.KERNEL32(*.*,?), ref: 00989840
SetCurrentDirectoryW.KERNEL32(?), ref: 00989890
SetCurrentDirectoryW.KERNEL32(009D6B7C), ref: 009898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009898B8
FindClose.KERNEL32(00000000), ref: 009898C5
FindClose.KERNEL32(00000000), ref: 009898D5

Part of subcall function 0097DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0097DB00

Strings

*.*, xrefs: 0098983B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 03386f16e8f34c5696df3df54b80639cea69c28657fe42569331988c3a52043e
Instruction ID: 42fbc3b38db4697121beb6fcec8c342b640a22c696da8133c054b04f7aab5444
Opcode Fuzzy Hash: 03386f16e8f34c5696df3df54b80639cea69c28657fe42569331988c3a52043e
Instruction Fuzzy Hash: AA31B47154461A7EDF10FFB4DC48AEE77AC9F4A324F188156E854A6290DB34DE44CF60

Function 0097D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

Part of subcall function 0097E199: GetFileAttributesW.KERNEL32(?,0097CF95), ref: 0097E19A

FindFirstFileW.KERNEL32(?,?), ref: 0097D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0097D1DD
MoveFileW.KERNEL32(?,?), ref: 0097D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0097D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0097D237

Part of subcall function 0097D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0097D21C,?,?), ref: 0097D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0097D253
FindClose.KERNEL32(00000000), ref: 0097D264

Strings

\*.*, xrefs: 0097D0CD, 0097D0D6, 0097D0EB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 6f12c724814339d3963797b00d337dbe32dd5ea7ae1df79b73521c693274ae18
Instruction ID: 5ef3979ff0776729816885990bf48c6017db33ca61ad935921d228e15c944ede
Opcode Fuzzy Hash: 6f12c724814339d3963797b00d337dbe32dd5ea7ae1df79b73521c693274ae18
Instruction Fuzzy Hash: 0A619372D0610D9FCF05EBE0C952AEDB779AF95300F6480A5E41677192EB30AF4ADB60

Function 0098ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0098ED91
EmptyClipboard.USER32 ref: 0098ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0098EDAC
CloseClipboard.USER32 ref: 0098EEA3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1d910a9ad5f476c9f4152526e035619cbf826da3b2eb47e46d4498d658107789
Instruction ID: 3bd2d7f608f2c9999f0d56fe9c13990e2b7da2eff6bf0b0b049bfe6d3b1e4d5d
Opcode Fuzzy Hash: 1d910a9ad5f476c9f4152526e035619cbf826da3b2eb47e46d4498d658107789
Instruction Fuzzy Hash: CA418B75208612AFE320EF15D898F59BBE5EF45318F148099E4268F7A2C735EC42CBD0

Function 0097E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0097170D
Part of subcall function 009716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0097173A
Part of subcall function 009716C3: GetLastError.KERNEL32 ref: 0097174A

ExitWindowsEx.USER32(?,00000000), ref: 0097E932

Strings

@, xrefs: 0097E925
, xrefs: 0097E920
, xrefs: 0097E95C
SeShutdownPrivilege, xrefs: 0097E902

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 87c968c9a7dcbe6d6dfb710024d52b320ab13792c286a93a87d24b876d9fd3fc
Instruction ID: 60400658480e2ca0c64bd375560a055b8a0dd425fc4e46334820cd26d6b9d175
Opcode Fuzzy Hash: 87c968c9a7dcbe6d6dfb710024d52b320ab13792c286a93a87d24b876d9fd3fc
Instruction Fuzzy Hash: A4014973620210EFEB6426B89C8AFBF725C9B08780F14C862FE0BF21D1D6A45C4082D0

Function 00991204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00991276
WSAGetLastError.WSOCK32 ref: 00991283
bind.WSOCK32(00000000,?,00000010), ref: 009912BA
WSAGetLastError.WSOCK32 ref: 009912C5
closesocket.WSOCK32(00000000), ref: 009912F4
listen.WSOCK32(00000000,00000005), ref: 00991303
WSAGetLastError.WSOCK32 ref: 0099130D
closesocket.WSOCK32(00000000), ref: 0099133C

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 0ee9a8e116703e965f266ae4ed07b595eadec645d73b693a6a3f6ca644a23849
Instruction ID: b8790813016d647e76277f6a6bec7aa8dd9acf81efff12e6bce704fe0467e2f9
Opcode Fuzzy Hash: 0ee9a8e116703e965f266ae4ed07b595eadec645d73b693a6a3f6ca644a23849
Instruction Fuzzy Hash: A24184716001019FDB10EF68C485B69BBE6BF86318F188198E8669F3D2C775ED81CBE1

Function 0094B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0094B9D4
_free.LIBCMT ref: 0094B9F8
_free.LIBCMT ref: 0094BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009B3700), ref: 0094BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,009E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0094BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,009E1270,000000FF,?,0000003F,00000000,?), ref: 0094BC36
_free.LIBCMT ref: 0094BD4B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 3a0439a2c179a2b5fac1cff54fe8b6136cf676eb27c33bb2d414d1ef5bb76033
Instruction ID: e3e3653459b1c88f7557c2e7399325048ae572f82c5c034fa7e40649e295140b
Opcode Fuzzy Hash: 3a0439a2c179a2b5fac1cff54fe8b6136cf676eb27c33bb2d414d1ef5bb76033
Instruction Fuzzy Hash: 88C10271A04245ABDB249F69CC91FAEBBFCEF81350F14419AE590DB291EB30DE418B90

Function 0097D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

Part of subcall function 0097E199: GetFileAttributesW.KERNEL32(?,0097CF95), ref: 0097E19A

FindFirstFileW.KERNEL32(?,?), ref: 0097D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0097D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0097D481
FindClose.KERNEL32(00000000), ref: 0097D498
FindClose.KERNEL32(00000000), ref: 0097D4A1

Strings

\*.*, xrefs: 0097D3F2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 318c630de86595b029dc7e8308e5c45e573f49858fd02855ba9d1af355549cdf
Instruction ID: 394a49e03df803da04c593ed26a78c94d70ac89bdc82cb6dcfff545150270f36
Opcode Fuzzy Hash: 318c630de86595b029dc7e8308e5c45e573f49858fd02855ba9d1af355549cdf
Instruction Fuzzy Hash: B031617211D3459FC200EF64C8959EF77B8AED1314F44891DF4E5521A1EB20EA49D7A2

Function 0094E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0094E645

Strings

1#SNAN, xrefs: 0094F844
1#QNAN, xrefs: 0094F84B
1#INF, xrefs: 0094F852
1#IND, xrefs: 0094F83D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e23765ab326ed365bbeaf47c797887785b6dcc06240a26be2b27a036b22ed76f
Instruction ID: a62b622d6f9ad312c9b434990cd7c637442be05f05379a809f8e401303eee8a2
Opcode Fuzzy Hash: e23765ab326ed365bbeaf47c797887785b6dcc06240a26be2b27a036b22ed76f
Instruction Fuzzy Hash: 28C22A71E086298FDB25CF289D50BEAB7B9FB84305F1545EAD44DE7240E778AE818F40

Function 0098648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009864DC
CoInitialize.OLE32(00000000), ref: 00986639
CoCreateInstance.OLE32(009AFCF8,00000000,00000001,009AFB68,?), ref: 00986650
CoUninitialize.OLE32 ref: 009868D4

Strings

.lnk, xrefs: 009864BA, 00986524, 009865E0

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 411540ae183e0450c683be307bb4d839b9423b7ead69f34cd211e38341dd42cd
Instruction ID: 1ada7d92534b678e867950243ac56127e493bbd1a4ed66cb312305e4b7e939b3
Opcode Fuzzy Hash: 411540ae183e0450c683be307bb4d839b9423b7ead69f34cd211e38341dd42cd
Instruction Fuzzy Hash: D9D13A716083059FC314EF24C891AABB7E9FFD9704F00496DF5958B291EB70E945CBA2

Function 009922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009922E8

Part of subcall function 0098E4EC: GetWindowRect.USER32(?,?), ref: 0098E504

GetDesktopWindow.USER32 ref: 00992312
GetWindowRect.USER32(00000000), ref: 00992319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00992355
GetCursorPos.USER32(?), ref: 00992381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009923DF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c5753afc12711974b6cd0782cebe6a13e2cae29a03ebb599d51a0200db7681f1
Instruction ID: dc8cde15fe5bb5c9121bdcea5672ba6cb8b465f8851081b5abaf440763da258e
Opcode Fuzzy Hash: c5753afc12711974b6cd0782cebe6a13e2cae29a03ebb599d51a0200db7681f1
Instruction Fuzzy Hash: 5F31B072509315AFDB20DF58C84AB5BB7ADFF89714F000919F9899B191DB34E908CBD2

Function 00989B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00989B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00989C8B

Part of subcall function 00983874: GetInputState.USER32 ref: 009838CB
Part of subcall function 00983874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00983966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00989BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00989C75

Strings

*.*, xrefs: 00989B5D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: bd2e89f00c093658ade8f4a7ed39636a3d7dce429404f01d361fb3265024b0a6
Instruction ID: 06507a45aca6b79cde2a436429116a7a1350f19d90d7e2c02c2a16f25547c00c
Opcode Fuzzy Hash: bd2e89f00c093658ade8f4a7ed39636a3d7dce429404f01d361fb3265024b0a6
Instruction Fuzzy Hash: CD41827190420AAFCF15EFA4C845BFE7BB8EF45310F144056E859A7291EB319E84CFA0

Function 0092997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00929A4E
GetSysColor.USER32(0000000F), ref: 00929B23
SetBkColor.GDI32(?,00000000), ref: 00929B36

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: de194e2df2ce545315bb83d743decf2031f122e6e507b9b96503f1b187ed4a36
Instruction ID: 96fe475b33dcb5ab2bb59aa31871ade45a00489b12e0a47a0b9d8f61670f233f
Opcode Fuzzy Hash: de194e2df2ce545315bb83d743decf2031f122e6e507b9b96503f1b187ed4a36
Instruction Fuzzy Hash: DEA15D7021C664BEE728AA7CEC98F7F769DEF83344F140509F402DA599CA299D41D2B2

Function 00991806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0099304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0099307A
Part of subcall function 0099304E: _wcslen.LIBCMT ref: 0099309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0099185D
WSAGetLastError.WSOCK32 ref: 00991884
bind.WSOCK32(00000000,?,00000010), ref: 009918DB
WSAGetLastError.WSOCK32 ref: 009918E6
closesocket.WSOCK32(00000000), ref: 00991915

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 5afbb66d1bf8dd4a588be26a792a0bcc2b10ba8f3a62446027afbf1d5915c30b
Instruction ID: 79c522eff640a84412240cf141dd85677c2cf67c72d89ff2760d0b1420f28fcd
Opcode Fuzzy Hash: 5afbb66d1bf8dd4a588be26a792a0bcc2b10ba8f3a62446027afbf1d5915c30b
Instruction Fuzzy Hash: F351C471B002109FDB10AF28D886F6A77E5AF85718F048458F9169F3D3D775AD818BE1

Function 009A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009A1CC0
IsWindowEnabled.USER32 ref: 009A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009A1CDB
IsIconic.USER32 ref: 009A1CE9
IsZoomed.USER32 ref: 009A1CF7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fe01098acf074c792c95ce8cf767c8ec22f74348fb3fe8977460c6bf6fbb7d47
Instruction ID: 46cfbd5fc3e64d28aa02a14864c9633c722910d704131b7ddc931cb0847f689c
Opcode Fuzzy Hash: fe01098acf074c792c95ce8cf767c8ec22f74348fb3fe8977460c6bf6fbb7d47
Instruction Fuzzy Hash: 1A2195717446115FD7208F2AC844B6A7BE9EF97325F198059E886CB391C771EC42CBD4

Function 00918060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009183FA
VUUU, xrefs: 0091843C
ERCP, xrefs: 0091813C
VUUU, xrefs: 009183E8
VUUU, xrefs: 00955DF0

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: f4bdb134b4cf6153ad2e35a63d0606f700cbf4d7b9fd252c371c034942e5890f
Instruction ID: 2bce67ab91f2f37fea4f0b6cd80a40af24b8d84ee961956897f061f02a531db6
Opcode Fuzzy Hash: f4bdb134b4cf6153ad2e35a63d0606f700cbf4d7b9fd252c371c034942e5890f
Instruction Fuzzy Hash: 72A2AB70A0061ACBDF24CF59C8907EEB7B6BB54311F2485AAEC15A7281EB349DC5DF90

Function 0097AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0097AAAC
SetKeyboardState.USER32(00000080), ref: 0097AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0097AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0097AB88

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fb76c9e53b2e3783427595a4b92d33c8f4d38915cf64292d7f1f93db962b8ad7
Instruction ID: 84b02bb88c46f9ec1908414ad0a4ff65885079593321e33d7b553617fcf969be
Opcode Fuzzy Hash: fb76c9e53b2e3783427595a4b92d33c8f4d38915cf64292d7f1f93db962b8ad7
Instruction Fuzzy Hash: 6B312872A40208AEFF35CA64CC05BFE7BAAEFD5310F04C21AF189561D0D3788981D7A6

Function 0098CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0098CE89
GetLastError.KERNEL32(?,00000000), ref: 0098CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0098CEFE

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 3b5c8c48841ad75eafe8814079d8d9fa7a1b3816b82ea922450b2e2a96814569
Instruction ID: f62be249ea67b0e0b929f279e56a8f11d8a195f4639a9b2244ef8867a44bee52
Opcode Fuzzy Hash: 3b5c8c48841ad75eafe8814079d8d9fa7a1b3816b82ea922450b2e2a96814569
Instruction Fuzzy Hash: 8F2190B15043059BEB30EF65D948BA677FCEF40354F10441EE646D2252EB74ED049BA4

Function 00978298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009782AA

Strings

(, xrefs: 009782F0
|, xrefs: 009782DA

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: fa214d281f9e9ab7adaf6738ce8a449c5d4f8aeba00c682071d61ff9590b7048
Instruction ID: 25937714f18ac1ba2dc91ac005410ba5b7efb0d7de218837923aa5f78ffa0385
Opcode Fuzzy Hash: fa214d281f9e9ab7adaf6738ce8a449c5d4f8aeba00c682071d61ff9590b7048
Instruction Fuzzy Hash: BB323575A007059FCB28CF59C085AAAB7F0FF48710B15C56EE4AADB7A1EB70E941CB40

Function 00985C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00985CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00985D17
FindClose.KERNEL32(?), ref: 00985D5F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 95402ac655f266b7fb72d3ff612d90eed9aac9da8cd5b76d3d4b75b76a37d985
Instruction ID: 767ec13cf310864ba91e6ca786a288334e1761358bc51266594f013426f5b50d
Opcode Fuzzy Hash: 95402ac655f266b7fb72d3ff612d90eed9aac9da8cd5b76d3d4b75b76a37d985
Instruction Fuzzy Hash: 2651AC746046019FC714DF28C494E96B7E8FF49324F15855EE9AA8B3A2CB30ED49CF91

Function 00942622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0094271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00942724
UnhandledExceptionFilter.KERNEL32(?), ref: 00942731

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 77a21a04d8b05aa8589539fe98ef25660954051f9c49578ba414b6befe6c93af
Instruction ID: b4d648c25d7dd9a96a7924b9cf16fb1823f27e8f057259a62ec57c274083f4b6
Opcode Fuzzy Hash: 77a21a04d8b05aa8589539fe98ef25660954051f9c49578ba414b6befe6c93af
Instruction Fuzzy Hash: C331B47491121C9BCB21DF64DD89BDDBBB8BF48710F5041EAE81CA6261E7709F818F45

Function 009851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00985238
SetErrorMode.KERNEL32(00000000), ref: 009852A1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 888a052dddf2faab27b02d5ba07b88d81f5ff318eca83fd95c2920839aec9007
Instruction ID: 5274827976f12ccdd242ad86db9fa8d285182f923e468f19b82553b0c34c1967
Opcode Fuzzy Hash: 888a052dddf2faab27b02d5ba07b88d81f5ff318eca83fd95c2920839aec9007
Instruction Fuzzy Hash: C4314C75A14518DFDB00EF54D884FADBBB4FF49314F058099E805AB362DB31E85ACB90

Function 009716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0092FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00930668
Part of subcall function 0092FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00930685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0097170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0097173A
GetLastError.KERNEL32 ref: 0097174A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7b9e5dc7364e92bfc2f8581dacc243902da1173435f3d0497b930f642d8f4c96
Instruction ID: b4512fb6d188c4d75a99392cfb5b45f4e178d19f2a7ecd8d5b46e6f31cff17b6
Opcode Fuzzy Hash: 7b9e5dc7364e92bfc2f8581dacc243902da1173435f3d0497b930f642d8f4c96
Instruction Fuzzy Hash: D011CEB2514305AFD718AF58EC86E6ABBBDEF44714B20C52EE05A57281EB70BC418A60

Function 0097D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0097D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0097D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0097D650

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7ea3d2597e870543be40e1b354af526a7732e2c21ed29765907bddacd862b609
Instruction ID: 97dac8731ebb49402f0c64c39d2c1ebacb55377c981963ee26219b981e32eb97
Opcode Fuzzy Hash: 7ea3d2597e870543be40e1b354af526a7732e2c21ed29765907bddacd862b609
Instruction Fuzzy Hash: 3C113CB6E05228BBDB108F959C45FAFBBBCEB45B50F108115F918E7290D6704A059BA1

Function 00971663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0097168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009716A1
FreeSid.ADVAPI32(?), ref: 009716B1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4d58a81db85e5951c72d03565d45680e4f9ded8cd35bcca23a505377235efad1
Instruction ID: f1889885fb7691ebf5183a7f51b8f7fff4c0332fb1613a8fad4cfc069703e953
Opcode Fuzzy Hash: 4d58a81db85e5951c72d03565d45680e4f9ded8cd35bcca23a505377235efad1
Instruction Fuzzy Hash: 9FF0F4B195030DFBDF00DFE49C89AAEBBBCEF08604F508565E501E6181E774AA449A90

Function 0094C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0094C36C

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 535ad301eac9c92b8b992657d30b92fb2472acb0011b8c2c73756525dd687c6c
Instruction ID: 31dab9e33476dc00a162b14aa094d29303ccdbb4224f12ac794f48a0d456549e
Opcode Fuzzy Hash: 535ad301eac9c92b8b992657d30b92fb2472acb0011b8c2c73756525dd687c6c
Instruction Fuzzy Hash: C94147B2901219AFCB209FB9CC88EBB77BCEB84314F104269F915D7180F6709D80CB50

Function 0093CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f824e4241730826b5c94aa1b0732e74c573b78b3094e710b5c3189142ff6de54
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 55020CB1E006199BDF24CFA9C8806ADBBF5EF88314F258569E819F7384D731AD418F94

Function 009868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00986918
FindClose.KERNEL32(00000000), ref: 00986961

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d53fa2981546329376314b080aef558a52c105d0f7e7cae6db73e203206d1c6f
Instruction ID: 9effdf817e7b231d795c16a86485b5a8ec0db5979f219673229fe8ea927874b7
Opcode Fuzzy Hash: d53fa2981546329376314b080aef558a52c105d0f7e7cae6db73e203206d1c6f
Instruction Fuzzy Hash: 38118E716142019FC710DF69D488A16BBE5EF85328F14C699E8698F7A2CB31EC45CB91

Function 009837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00994891,?,?,00000035,?), ref: 009837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00994891,?,?,00000035,?), ref: 009837F4

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d3bc13fe642af70ac0b607bd6e9f575c526da203c4a6d9153dbe3ff6ebcce47a
Instruction ID: 851939ab520329b052757b1b6051af45e2f4c254d1ccdec25442b94fce182312
Opcode Fuzzy Hash: d3bc13fe642af70ac0b607bd6e9f575c526da203c4a6d9153dbe3ff6ebcce47a
Instruction Fuzzy Hash: 03F0E5B07042292AEB2067668C4DFEB3AAEEFC5B61F004175F909E2281DA60D944C7F0

Function 0097B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0097B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0097B270

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 27d4c68b74409823391d0a85fc7af13f8fdd82de0364e262381b973cd22ae5f6
Instruction ID: ff86473a4d392a6777a61617cdb783b9c7733a94996633bed74527276c0c3017
Opcode Fuzzy Hash: 27d4c68b74409823391d0a85fc7af13f8fdd82de0364e262381b973cd22ae5f6
Instruction Fuzzy Hash: 3AF01D7181424DABDB059FA0C805BBE7BB4FF05309F008409F965A9192C37996119F94

Function 009710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009711FC), ref: 009710D4
CloseHandle.KERNEL32(?,?,009711FC), ref: 009710E9

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d1bc20f17d039e1ea506fd84d63852eff7416e3d1a719920d6c777852e79f710
Instruction ID: e01ae2bcfa6bd144c4326939580dba60faeae2c3c42ce05d2df96b06e7f8fd1b
Opcode Fuzzy Hash: d1bc20f17d039e1ea506fd84d63852eff7416e3d1a719920d6c777852e79f710
Instruction Fuzzy Hash: 63E04F72018610AFEB252B11FC05F7377A9EF04310F10882DF4A6844B5DB626C90EB50

Function 0091CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00960C40

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 00df3f16daa9713e4007c95d31a108c265fd60bea321055f196698141a536a27
Instruction ID: 13025401be11d6d212d87b88c05bee17f6da247d5e05eeab7ac364277f75dbaf
Opcode Fuzzy Hash: 00df3f16daa9713e4007c95d31a108c265fd60bea321055f196698141a536a27
Instruction Fuzzy Hash: 69329EB4A4021CDBCF14DF94D981BEEB7B9FF84304F148459E806AB292D775AD86CB50

Function 0094676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00946766,?,?,00000008,?,?,0094FEFE,00000000), ref: 00946998

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c5d9c22b948aa37dd36d2e5386514726bc7d66c0edbe289e19f70f028d37fae5
Instruction ID: 6e7136ee628ecde3389b04da3ea888914e4205d24453f87a6318bd5d4975354d
Opcode Fuzzy Hash: c5d9c22b948aa37dd36d2e5386514726bc7d66c0edbe289e19f70f028d37fae5
Instruction Fuzzy Hash: 80B14CB1610609DFD719CF28C48AF657BE0FF46368F258658E899CF2A2C335E991CB41

Function 0092B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0096851F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e8ad078baa23a8dfd3e9bc75e71434db9882e0cc57f4d3eb698c26e178801110
Instruction ID: c2589b8c999bda6c43e650b4ac298b3595696daf4f71b1d759c3414845751a24
Opcode Fuzzy Hash: e8ad078baa23a8dfd3e9bc75e71434db9882e0cc57f4d3eb698c26e178801110
Instruction Fuzzy Hash: 72123D71D002299BDB24DF58D890BEEB7F5FF48710F14819AE849EB255EB349A81CB90

Function 0098EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0098EABD

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 48283520b6cf269820039de1596746fd280d1cc23c87672656e140749d254e38
Instruction ID: 563b5d1bc2402bd42688f6e40ef0df4aaadf4165dab62e585e0c72cd328519e3
Opcode Fuzzy Hash: 48283520b6cf269820039de1596746fd280d1cc23c87672656e140749d254e38
Instruction Fuzzy Hash: 2EE01A752102049FC710EF59D814E9AB7E9AF98760F008416FC49CB351DA74E8818B90

Function 009309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009303EE), ref: 009309DA

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6534d3d321f49b09e861c29bd66ab3e372fdc6cc417c54422cda2cda33dec8eb
Instruction ID: b462555d463a9e8412e1ae824d45db344b415d4bd4b24870454653dc14d4d6f9
Opcode Fuzzy Hash: 6534d3d321f49b09e861c29bd66ab3e372fdc6cc417c54422cda2cda33dec8eb
Instruction Fuzzy Hash:

Function 0093781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0093798B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5b591a15eef6fa57032077cbb1ca6837219f4bb507d64a89c22f9a5379f52f13
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CD5135E160C7456BDB3885E888DEBBFE3CD9B46340F180A09E986D7282C619DE41DF56

Function 00946DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96dbb70bcb9cb7f5db562f12b68ab4b460073194c25ade1285f6e4b5024aae5b
Instruction ID: 4ba962214ceaec7495db8165cdd95537aa39a4d54fe5b23b24e1ac55959b6763
Opcode Fuzzy Hash: 96dbb70bcb9cb7f5db562f12b68ab4b460073194c25ade1285f6e4b5024aae5b
Instruction Fuzzy Hash: FA322122D2DF054DDB239635C922336A68DAFB73D5F15C737F81AB5AA9EB28C4835100

Function 0092CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc93718018323dceacb0d7405aa49ddf4415f827f0a75e9f17385238985274a
Instruction ID: 1465acf323519c6c14dde12e9a7b9c6015225bcfa7099111d98b9be9dfed9467
Opcode Fuzzy Hash: 2fc93718018323dceacb0d7405aa49ddf4415f827f0a75e9f17385238985274a
Instruction Fuzzy Hash: FE3237F1A041158BCF28CF68D49467D7BA9EB45301F28896BF8CADB395D238DE81DB41

Function 00917920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312bacbc4f594c994363f0266fba0b800f9ae70463b2396ffc6cfb5a9fa3a1c9
Instruction ID: 70d012bc3e9ed3047f24933cab62014ca1cf7f34043280a399a6a50338478e07
Opcode Fuzzy Hash: 312bacbc4f594c994363f0266fba0b800f9ae70463b2396ffc6cfb5a9fa3a1c9
Instruction Fuzzy Hash: 0422CEB0A0460ADFDF14CFA5D891AEEF3B5FF44300F214529E816A7291EB39AD95CB50

Function 009191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09443e49438049036bbcfd3ad9fa09c5854a880efebf49fdcf1aa8a8f544b49
Instruction ID: d72b22b9b952f0e496eccf5180df71118e6c58b826503aa414f77dbf2c2698bb
Opcode Fuzzy Hash: f09443e49438049036bbcfd3ad9fa09c5854a880efebf49fdcf1aa8a8f544b49
Instruction Fuzzy Hash: 2402F5B1E0020AEBDB04DF65D891BAEB7B5FF44300F108569E816DB290EB35EE55CB81

Function 00949EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5144c672897307e9ec23867936c7d884148e2d648239363209974fe5ca265e72
Instruction ID: 00447b25953a6da98ab472763e3e4b4010249be71d28dd7accc856df2d8be03a
Opcode Fuzzy Hash: 5144c672897307e9ec23867936c7d884148e2d648239363209974fe5ca265e72
Instruction Fuzzy Hash: C0B1E020D3AF414DC22396398935337B69CAFBB6E5F91D71BFC2674D22EB2286835140

Function 00931C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 20c18367f5dea1671d5a969c9eb3b883792fb6e67da7dc9ef13cb499d4ea01f4
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 56918A731080A34ADB6D463E857407EFFE55A923A1B1A0B9DD4F2CB1E5FE24C954DE20

Function 009319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: fba56d1a74e0cced197f152f98522a888e9be13cac59b81451e846c306b6ccfd
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 309187722090E34EDB2D427A957403EFFF55A923A2B1A079ED4F2CA1E5FE14C564DE20

Function 00937A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc56f4f0bd92d234b406cb337993577b06d442160eb2df57b0f26f4a998ed133
Instruction ID: b86b0e0cab288f3da3e99383bcd737d3cade482485190a0c8df72ac78f6364df
Opcode Fuzzy Hash: bc56f4f0bd92d234b406cb337993577b06d442160eb2df57b0f26f4a998ed133
Instruction Fuzzy Hash: 376148F120874966DE749AE88895BBFE3FDDF82700F140D1AF882DB281D6159E42CF56

Function 00937CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac77b9574187680ca21b56325d9995bf9e672a51f5c3a39d5da6aa10a3db3c26
Instruction ID: d5ab43a34b8ccc7ca59fc6675eea9c026b5c3c3d303c0dd724eac1f8d8e97df9
Opcode Fuzzy Hash: ac77b9574187680ca21b56325d9995bf9e672a51f5c3a39d5da6aa10a3db3c26
Instruction Fuzzy Hash: 9F6169F120C70966DE389AE88896BBFE39CDF82704F100D59F853DB2D1DA169D42CE55

Function 00931706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e158e4d578d06cdbfea2620e7a989308b2de5eb0de8f9d9c8db86dde7d7d8909
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 188187366080A349DB6D863A853453EFFE55A923A1B1E079ED4F3CB1E1EE24C954DE20

Function 00982046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc95dfc629d3c6881cd760e975df645a88ecfc95090a83a4e574c43495051cb
Instruction ID: 39708e6cbd7e346dc591c0a46aff8ad7b739654aefedd0900fc640802cfd08a4
Opcode Fuzzy Hash: bbc95dfc629d3c6881cd760e975df645a88ecfc95090a83a4e574c43495051cb
Instruction Fuzzy Hash: C721D8326206158BDB28CF79C81267A73E9A794310F148A2EE4A7C73D1DE75AD04DB80

Function 00992ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00992B30
DeleteObject.GDI32(00000000), ref: 00992B43
DestroyWindow.USER32 ref: 00992B52
GetDesktopWindow.USER32 ref: 00992B6D
GetWindowRect.USER32(00000000), ref: 00992B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00992CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00992CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992CF8
GetClientRect.USER32(00000000,?), ref: 00992D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00992D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D80
GlobalLock.KERNEL32(00000000), ref: 00992D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992D98
GlobalUnlock.KERNEL32(00000000), ref: 00992DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992DA8
GlobalFree.KERNEL32(00000000), ref: 00992DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,009AFC38,00000000), ref: 00992DDB
GlobalFree.KERNEL32(00000000), ref: 00992DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00992E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00992E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00992E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0099303F

Strings

AutoIt v3, xrefs: 00992CF2
, xrefs: 00992FC5
static, xrefs: 00992D3A, 00992E91
DISPLAY, xrefs: 00992EA2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5aa9978722bbef70c38d6c2b7e85aaed966f250f33ae15bd44dc6665e280e6c3
Instruction ID: 27078225e1f466fcfd3779dfaec5fae10a9236f35c85d3d81f8a8399f675840f
Opcode Fuzzy Hash: 5aa9978722bbef70c38d6c2b7e85aaed966f250f33ae15bd44dc6665e280e6c3
Instruction Fuzzy Hash: 070270B1610209AFDB14DF68CC89EAE7BB9EF49310F048158F915AB2A1DB74DD41DFA0

Function 009A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009A712F
GetSysColorBrush.USER32(0000000F), ref: 009A7160
GetSysColor.USER32(0000000F), ref: 009A716C
SetBkColor.GDI32(?,000000FF), ref: 009A7186
SelectObject.GDI32(?,?), ref: 009A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 009A71C0
GetSysColor.USER32(00000010), ref: 009A71C8
CreateSolidBrush.GDI32(00000000), ref: 009A71CF
FrameRect.USER32(?,?,00000000), ref: 009A71DE
DeleteObject.GDI32(00000000), ref: 009A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 009A7230
FillRect.USER32(?,?,?), ref: 009A7262
GetWindowLongW.USER32(?,000000F0), ref: 009A7284

Part of subcall function 009A73E8: GetSysColor.USER32(00000012), ref: 009A7421
Part of subcall function 009A73E8: SetTextColor.GDI32(?,?), ref: 009A7425
Part of subcall function 009A73E8: GetSysColorBrush.USER32(0000000F), ref: 009A743B
Part of subcall function 009A73E8: GetSysColor.USER32(0000000F), ref: 009A7446
Part of subcall function 009A73E8: GetSysColor.USER32(00000011), ref: 009A7463
Part of subcall function 009A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009A7471
Part of subcall function 009A73E8: SelectObject.GDI32(?,00000000), ref: 009A7482
Part of subcall function 009A73E8: SetBkColor.GDI32(?,00000000), ref: 009A748B
Part of subcall function 009A73E8: SelectObject.GDI32(?,?), ref: 009A7498
Part of subcall function 009A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009A74B7
Part of subcall function 009A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009A74CE
Part of subcall function 009A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009A74DB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5b2353a8a3ef0ef73d92effc1052861b17fabbbaec696b5e8e6dae3162cfebcf
Instruction ID: 3aada598758d7d9b573edfbb8f81b37bf129c8268c24fd1b59199a353578b33a
Opcode Fuzzy Hash: 5b2353a8a3ef0ef73d92effc1052861b17fabbbaec696b5e8e6dae3162cfebcf
Instruction Fuzzy Hash: 11A1B3B251C301AFDB409F60DC49A6BBBE9FF4A320F101A19F9629A1E1D734E944DBD1

Function 00928D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00928E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00966AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00966AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00966F43

Part of subcall function 00928F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00928BE8,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 00928FC5

SendMessageW.USER32(?,00001053), ref: 00966F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00966F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00966FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00966FB7

Strings

0, xrefs: 00966DCF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ce2a58a9511b0e4492185bc303c237a9f765373f9de1745596a68a1d174c594d
Instruction ID: a29c59f859d29ce2149b55c4c5cf46ab4d363503bcf0d6571f2e798433a82047
Opcode Fuzzy Hash: ce2a58a9511b0e4492185bc303c237a9f765373f9de1745596a68a1d174c594d
Instruction Fuzzy Hash: 2012BE70609251EFDB25DF24E894BAAB7E9FF49300F144469F4898B262CB32EC51DF91

Function 00992711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0099273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0099286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00992900
GetClientRect.USER32(00000000,?), ref: 0099290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00992955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00992964
GetStockObject.GDI32(00000011), ref: 00992974
SelectObject.GDI32(00000000,00000000), ref: 00992978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00992988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00992991
DeleteDC.GDI32(00000000), ref: 0099299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00992A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00992A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00992A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00992A77
GetStockObject.GDI32(00000011), ref: 00992A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00992A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00992A97

Strings

AutoIt v3, xrefs: 009928F8
static, xrefs: 0099294F, 00992A71
msctls_progress32, xrefs: 00992A13
DISPLAY, xrefs: 0099295A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 30b515c242daf5f0be9c6cd83c51dc35421b301a8340fda5a79e305987d3a226
Instruction ID: 188444238a5e317b52f367461b480277c6958968abc9728e1ef3260faadf4522
Opcode Fuzzy Hash: 30b515c242daf5f0be9c6cd83c51dc35421b301a8340fda5a79e305987d3a226
Instruction Fuzzy Hash: 3CB14AB1A50219BFEB14DFA8CC89FAE7BA9EF49710F004115F915EB290D774AD40DBA0

Function 00984ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00984AED
GetDriveTypeW.KERNEL32(?,009ACB68,?,\\.\,009ACC08), ref: 00984BCA
SetErrorMode.KERNEL32(00000000,009ACB68,?,\\.\,009ACC08), ref: 00984D36

Strings

SSA, xrefs: 00984CA6
Fibre, xrefs: 00984CAD
FileBackedVirtual, xrefs: 00984CEC
SCSI, xrefs: 00984C8A
RAID, xrefs: 00984CBB
Virtual, xrefs: 00984CE5
Unknown, xrefs: 00984BED, 00984C83
1394, xrefs: 00984C9F
RAMDisk, xrefs: 00984BF4
MMC, xrefs: 00984CDE
PhysicalDrive, xrefs: 00984B76
Fixed, xrefs: 00984C09
\\.\, xrefs: 00984B3F
SSD, xrefs: 00984C4A
ATAPI, xrefs: 00984C91
USB, xrefs: 00984CB4
CDROM, xrefs: 00984BFB
SATA, xrefs: 00984CD0
Removable, xrefs: 00984C10, 00984C15
ATA, xrefs: 00984C98
Network, xrefs: 00984C02
iSCSI, xrefs: 00984CC2
SAS, xrefs: 00984CC9

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ab183ccd7640632abdba12bcb62eb849192906bd22779bebe2253cb61140a4a8
Instruction ID: d3faa60eb9e67963f25b04a10b1d746119aee627e7b697640dfa0c8e479a7c66
Opcode Fuzzy Hash: ab183ccd7640632abdba12bcb62eb849192906bd22779bebe2253cb61140a4a8
Instruction Fuzzy Hash: 5361D63174520B9BCB14FF24CA81AECB7B9AF85304B24C416F886AB391DB79ED41DB41

Function 009A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 009A7421
SetTextColor.GDI32(?,?), ref: 009A7425
GetSysColorBrush.USER32(0000000F), ref: 009A743B
GetSysColor.USER32(0000000F), ref: 009A7446
CreateSolidBrush.GDI32(?), ref: 009A744B
GetSysColor.USER32(00000011), ref: 009A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 009A7471
SelectObject.GDI32(?,00000000), ref: 009A7482
SetBkColor.GDI32(?,00000000), ref: 009A748B
SelectObject.GDI32(?,?), ref: 009A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 009A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 009A7572
DrawFocusRect.USER32(?,?), ref: 009A757D
GetSysColor.USER32(00000011), ref: 009A758E
SetTextColor.GDI32(?,00000000), ref: 009A7596
DrawTextW.USER32(?,009A70F5,000000FF,?,00000000), ref: 009A75A8
SelectObject.GDI32(?,?), ref: 009A75BF
DeleteObject.GDI32(?), ref: 009A75CA
SelectObject.GDI32(?,?), ref: 009A75D0
DeleteObject.GDI32(?), ref: 009A75D5
SetTextColor.GDI32(?,?), ref: 009A75DB
SetBkColor.GDI32(?,?), ref: 009A75E5

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8459837d4ee6af3e7d3e99337990600b6e90daf7c0dfb2d6e085bca6aa9ddf94
Instruction ID: d98f0dd11104a239e85dc5f1aa9a2a472df8a3471d833621f3bb41faced7a6d6
Opcode Fuzzy Hash: 8459837d4ee6af3e7d3e99337990600b6e90daf7c0dfb2d6e085bca6aa9ddf94
Instruction Fuzzy Hash: 03615272D08218AFDF019FA4DC49EAEBFB9EF0A320F114525F915AB2A1D7749940DBD0

Function 009A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009A1128
GetDesktopWindow.USER32 ref: 009A113D
GetWindowRect.USER32(00000000), ref: 009A1144
GetWindowLongW.USER32(?,000000F0), ref: 009A1199
DestroyWindow.USER32(?), ref: 009A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 009A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009A1245
IsWindowVisible.USER32(00000000), ref: 009A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009A12D0
GetWindowRect.USER32(00000000,?), ref: 009A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 009A130E
GetMonitorInfoW.USER32(00000000,?), ref: 009A1328
CopyRect.USER32(?,?), ref: 009A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009A13AA

Strings

0, xrefs: 009A10D3
tooltips_class32, xrefs: 009A11E6
(, xrefs: 009A131B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ab38c8e359c8206309ce2f10cfb7214383b1176ec4d87741faa3c63a7a84b2a3
Instruction ID: 936c6e1bcc653f739e6df92a35883797ebcd3b62491a38d7787d10bf195f19f8
Opcode Fuzzy Hash: ab38c8e359c8206309ce2f10cfb7214383b1176ec4d87741faa3c63a7a84b2a3
Instruction Fuzzy Hash: D1B18D71608341AFDB14DF64C884BABBBE5FF85350F00891DF9999B2A1DB31E845CB91

Function 009A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009A02E5
_wcslen.LIBCMT ref: 009A031F
_wcslen.LIBCMT ref: 009A0389
_wcslen.LIBCMT ref: 009A03F1
_wcslen.LIBCMT ref: 009A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009A0504

Part of subcall function 0092F9F2: _wcslen.LIBCMT ref: 0092F9FD

Part of subcall function 0097223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00972258
Part of subcall function 0097223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0097228A

Strings

VIEWCHANGE, xrefs: 009A0675
GETTEXT, xrefs: 009A03EC, 009A0407
DESELECT, xrefs: 009A059C
GETSELECTEDCOUNT, xrefs: 009A0470, 009A048B
SELECTINVERT, xrefs: 009A057E
GETSELECTED, xrefs: 009A05E1
SELECTALL, xrefs: 009A0515
GETSUBITEMCOUNT, xrefs: 009A0384, 009A039F
SELECTCLEAR, xrefs: 009A052D
SELECT, xrefs: 009A0548
GETITEMCOUNT, xrefs: 009A0316, 009A0337
FINDITEM, xrefs: 009A0627
ISSELECTED, xrefs: 009A04DD

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 12fbdbe28112dc0d4cbf1e3146fa90ffcccf147a5f310a7d5ab58769953fdf52
Instruction ID: cb2bf8f1f4a830bf52991ded02b4af5cc347d31641a191c5b8fffee2e3b0aaa3
Opcode Fuzzy Hash: 12fbdbe28112dc0d4cbf1e3146fa90ffcccf147a5f310a7d5ab58769953fdf52
Instruction Fuzzy Hash: C1E1BF312183018FCB14DF24C550A6AB3E6BFC9718F548A6DF8969B3A5EB34ED45CB81

Function 00928891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00928968
GetSystemMetrics.USER32(00000007), ref: 00928970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0092899B
GetSystemMetrics.USER32(00000008), ref: 009289A3
GetSystemMetrics.USER32(00000004), ref: 009289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00928A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00928A3C
GetClientRect.USER32(00000000,000000FF), ref: 00928A5A
GetStockObject.GDI32(00000011), ref: 00928A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00928A81

Part of subcall function 0092912D: GetCursorPos.USER32(?), ref: 00929141
Part of subcall function 0092912D: ScreenToClient.USER32(00000000,?), ref: 0092915E
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000001), ref: 00929183
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000002), ref: 0092919D

SetTimer.USER32(00000000,00000000,00000028,009290FC), ref: 00928AA8

Strings

AutoIt v3 GUI, xrefs: 00928A20

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2853906eaabc3fd255775d21684af4341537fb5b2c7877f84bef76a04991b0a0
Instruction ID: d1ca2628670456bea7a8c9d75beb955933709ae3cb52cf161999205d657f5889
Opcode Fuzzy Hash: 2853906eaabc3fd255775d21684af4341537fb5b2c7877f84bef76a04991b0a0
Instruction Fuzzy Hash: 5EB18E75A0421AAFDB14DFA8DD85BAE7BB5FF48314F104129FA15AB290DB34E840DB90

Function 00970D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00971114
Part of subcall function 009710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971120
Part of subcall function 009710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 0097112F
Part of subcall function 009710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971136
Part of subcall function 009710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0097114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00970DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00970E29
GetLengthSid.ADVAPI32(?), ref: 00970E40
GetAce.ADVAPI32(?,00000000,?), ref: 00970E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00970E96
GetLengthSid.ADVAPI32(?), ref: 00970EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00970EB5
HeapAlloc.KERNEL32(00000000), ref: 00970EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00970EDD
CopySid.ADVAPI32(00000000), ref: 00970EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00970F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00970F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00970F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970F6E
HeapFree.KERNEL32(00000000), ref: 00970F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970F7E
HeapFree.KERNEL32(00000000), ref: 00970F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00970F8E
HeapFree.KERNEL32(00000000), ref: 00970F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00970FA1
HeapFree.KERNEL32(00000000), ref: 00970FA8

Part of subcall function 00971193: GetProcessHeap.KERNEL32(00000008,00970BB1,?,00000000,?,00970BB1,?), ref: 009711A1
Part of subcall function 00971193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00970BB1,?), ref: 009711A8
Part of subcall function 00971193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00970BB1,?), ref: 009711B7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c7891e2b2f80a110f8456c36454bbdcb3d77fa4d599802b0b432a29303f0da4d
Instruction ID: c8ed15ceb58ec05a9601c07ff840a46dc84e05ddb00fe195eb48311181616de6
Opcode Fuzzy Hash: c7891e2b2f80a110f8456c36454bbdcb3d77fa4d599802b0b432a29303f0da4d
Instruction Fuzzy Hash: 4B714CB290421AEBDF20DFA4DC45FAEBBBCBF45310F148115F919EA191D7719905CBA0

Function 0099C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,009ACC08,00000000,?,00000000,?,?), ref: 0099C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0099C5A4
_wcslen.LIBCMT ref: 0099C5F4
_wcslen.LIBCMT ref: 0099C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0099C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0099C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0099C84D
RegCloseKey.ADVAPI32(?), ref: 0099C881
RegCloseKey.ADVAPI32(00000000), ref: 0099C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0099C960

Strings

REG_EXPAND_SZ, xrefs: 0099C5CD
REG_MULTI_SZ, xrefs: 0099C6F5
REG_QWORD, xrefs: 0099C8C3
REG_DWORD, xrefs: 0099C804
REG_SZ, xrefs: 0099C644
REG_BINARY, xrefs: 0099C913

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f7f7c466207876dd329a18c12d6f6a09f67ecf0bb3796a6f04074271a1450a51
Instruction ID: 645d7f9f6dc7ea3504f13b1bf2e0aac3aa68b99561dbb9fba66b2214fe04b3d4
Opcode Fuzzy Hash: f7f7c466207876dd329a18c12d6f6a09f67ecf0bb3796a6f04074271a1450a51
Instruction Fuzzy Hash: D01247757082019FDB14DF18C891B6AB7E5EF89714F05889DF88A9B3A2DB31ED41CB81

Function 009A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009A09C6
_wcslen.LIBCMT ref: 009A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009A0A54
_wcslen.LIBCMT ref: 009A0A8A
_wcslen.LIBCMT ref: 009A0B06
_wcslen.LIBCMT ref: 009A0B81

Part of subcall function 0092F9F2: _wcslen.LIBCMT ref: 0092F9FD

Part of subcall function 00972BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00972BFA

Strings

GETTEXT, xrefs: 009A0C97
COLLAPSE, xrefs: 009A0B01, 009A0B1C
EXPAND, xrefs: 009A0BF8
SELECT, xrefs: 009A0D11
ISCHECKED, xrefs: 009A0CE1
GETITEMCOUNT, xrefs: 009A0C1E
GETTOTALCOUNT, xrefs: 009A09F2, 009A0A17
GETSELECTED, xrefs: 009A0C4E
EXISTS, xrefs: 009A0B7C, 009A0B97
CHECK, xrefs: 009A0A85, 009A0AA0
UNCHECK, xrefs: 009A0D3E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c58f4b36f8964063e096a6d9b7e61b7429ab341c96745d8ee1c76b40005a2fea
Instruction ID: 3cfc2f3b879db6d59cb2376bf239c738b2b57443dc9333736f6a84fadc63a47c
Opcode Fuzzy Hash: c58f4b36f8964063e096a6d9b7e61b7429ab341c96745d8ee1c76b40005a2fea
Instruction Fuzzy Hash: 23E1BC322083018FCB14DF64C450A6AB7E6BFDA314F14895DF89A9B3A2D731ED85CB81

Function 0099C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
_wcslen.LIBCMT ref: 0099C9F1
_wcslen.LIBCMT ref: 0099CA68
_wcslen.LIBCMT ref: 0099CA9E
_wcslen.LIBCMT ref: 0099CAF9
_wcslen.LIBCMT ref: 0099CB2F
_wcslen.LIBCMT ref: 0099CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0099CA62, 0099CA67
HKEY_CURRENT_USER, xrefs: 0099CBBD
HKCU, xrefs: 0099CBCE
HKU, xrefs: 0099CBF0
HKCR, xrefs: 0099CB29, 0099CB2E
HKCC, xrefs: 0099CBAC
HKEY_USERS, xrefs: 0099CBDF
HKEY_CURRENT_CONFIG, xrefs: 0099CB79, 0099CB7E
HKLM, xrefs: 0099CA98, 0099CA9D
HKEY_CLASSES_ROOT, xrefs: 0099CAF3, 0099CAF8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f366a8c3720aca052eb4b3f517e69b78dd6aa090d113c6b432b0b6abe285a5d5
Instruction ID: 0bad5aeb862e279dad7ce25bcd3fd4c15d360639572ff4899af679d0cdc9ee92
Opcode Fuzzy Hash: f366a8c3720aca052eb4b3f517e69b78dd6aa090d113c6b432b0b6abe285a5d5
Instruction Fuzzy Hash: FF7129B260016A8BCF20DE7CCD516BF3399AFA0764F554925FC569B284F635DD80C3A0

Function 009A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009A835A
_wcslen.LIBCMT ref: 009A836E
_wcslen.LIBCMT ref: 009A8391
_wcslen.LIBCMT ref: 009A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009A5BF2), ref: 009A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009A8501
FreeLibrary.KERNEL32(?), ref: 009A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009A851D
DestroyIcon.USER32(?,?,?,?,?,009A5BF2), ref: 009A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009A8555

Strings

.icl, xrefs: 009A8368
.dll, xrefs: 009A83AB
.exe, xrefs: 009A8388

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f157e902d2067f79c46f89d12845cf79d79f578f1386ebd2a6d9fc88602de0b2
Instruction ID: 5737da7665af7372747b4d30259a47e2023422b07843b4bfb4f47276014125cc
Opcode Fuzzy Hash: f157e902d2067f79c46f89d12845cf79d79f578f1386ebd2a6d9fc88602de0b2
Instruction Fuzzy Hash: EE61CF71944209BEEB14DF64CC45BBF77ACBF49B21F104509F815DA1D1EB74A980DBA0

Function 00917778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 0095528C
#comments-end, xrefs: 009178D9
#requireadmin, xrefs: 009177FF
#cs, xrefs: 00917873, 009178C5
Bad directive syntax error, xrefs: 0095519A
#notrayicon, xrefs: 009177E7
', xrefs: 00955169
#OnAutoItStartRegister, xrefs: 00917817
", xrefs: 00955153
#include, xrefs: 00917847
#include-once, xrefs: 0091782F
Cannot parse #include, xrefs: 00955279
#pragma compile, xrefs: 009177D3
#comments-start, xrefs: 0091785F, 009178B1
#ce, xrefs: 009178ED

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 325d8a397f770ce0b62485930abfcefbc8c6b9fd730796772aca5a466bc8e5c1
Instruction ID: 1f5509760657f94be3c74ae26c8a79464c5a8eb9025c4acda5787fc94f86eec3
Opcode Fuzzy Hash: 325d8a397f770ce0b62485930abfcefbc8c6b9fd730796772aca5a466bc8e5c1
Instruction Fuzzy Hash: 1281F57170460AABDB20AFA1DC52FEF7BB8AF95304F054424FC05AA196EB70D985C7A1

Function 00975A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00975A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00975A40
SetWindowTextW.USER32(?,?), ref: 00975A57
GetDlgItem.USER32(?,000003EA), ref: 00975A6C
SetWindowTextW.USER32(00000000,?), ref: 00975A72
GetDlgItem.USER32(?,000003E9), ref: 00975A82
SetWindowTextW.USER32(00000000,?), ref: 00975A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00975AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00975AC3
GetWindowRect.USER32(?,?), ref: 00975ACC
_wcslen.LIBCMT ref: 00975B33
SetWindowTextW.USER32(?,?), ref: 00975B6F
GetDesktopWindow.USER32 ref: 00975B75
GetWindowRect.USER32(00000000), ref: 00975B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00975BD3
GetClientRect.USER32(?,?), ref: 00975BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00975C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00975C2F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: bd45999479081990b20d343f627c7d1b553a90e5816f42883a006413bdea6c88
Instruction ID: 25168d56a426f179b4c0dab27e8bf39ce65620937c559c89731e7f931ac0d0f8
Opcode Fuzzy Hash: bd45999479081990b20d343f627c7d1b553a90e5816f42883a006413bdea6c88
Instruction Fuzzy Hash: 26718072900B09EFDB20DFA8CE85B6EBBF9FF48704F114918E146A65A0D7B4E944CB50

Function 009300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009300C6

Part of subcall function 009300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(009E070C,00000FA0,D50D51DE,?,?,?,?,009523B3,000000FF), ref: 0093011C
Part of subcall function 009300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009523B3,000000FF), ref: 00930127
Part of subcall function 009300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009523B3,000000FF), ref: 00930138
Part of subcall function 009300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0093014E
Part of subcall function 009300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0093015C
Part of subcall function 009300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0093016A
Part of subcall function 009300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00930195
Part of subcall function 009300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009301A0

___scrt_fastfail.LIBCMT ref: 009300E7

Part of subcall function 009300A3: __onexit.LIBCMT ref: 009300A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00930122
InitializeConditionVariable, xrefs: 00930148
kernel32.dll, xrefs: 00930133
WakeAllConditionVariable, xrefs: 00930162
SleepConditionVariableCS, xrefs: 00930154

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b05500dec267f2a0525b6a7d165a5ef40b77afc7dca21f899dd40b86ab684308
Instruction ID: eb909374910965865d901c59ba3613aeea4abb28efae33aa9dbe9446b52762b2
Opcode Fuzzy Hash: b05500dec267f2a0525b6a7d165a5ef40b77afc7dca21f899dd40b86ab684308
Instruction Fuzzy Hash: 4C21D772A5D7116FD7215BE4AC69B2A77A8EFC6B55F000135F801AB2D1DBB49C009ED0

Function 009730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0097318D
_wcslen.LIBCMT ref: 009731F8

Strings

CLASSNN, xrefs: 009731F3, 00973204
CLASS, xrefs: 00973188, 009731A5
NAME, xrefs: 00973335, 00973346
REGEXPCLASS, xrefs: 00973255, 00973266
TEXT, xrefs: 0097347C
INSTANCE, xrefs: 00973453

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: e3043a6806a6e7f5cf5dea9a35faa629f98256001fcf1a2317864af4c858c06b
Instruction ID: e08864e837611a93351563ed39b6ec3589e78406bab279e2a29c61599f67dc3c
Opcode Fuzzy Hash: e3043a6806a6e7f5cf5dea9a35faa629f98256001fcf1a2317864af4c858c06b
Instruction Fuzzy Hash: CEE1E633A00516ABCB289F74C4517EEBBB4BF54710F55C12AE46EF7250DB30AE85A790

Function 009844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009ACC08), ref: 00984527
_wcslen.LIBCMT ref: 0098453B
_wcslen.LIBCMT ref: 00984599
_wcslen.LIBCMT ref: 009845F4
_wcslen.LIBCMT ref: 0098463F
_wcslen.LIBCMT ref: 009846A7

Part of subcall function 0092F9F2: _wcslen.LIBCMT ref: 0092F9FD

GetDriveTypeW.KERNEL32(?,009D6BF0,00000061), ref: 00984743

Strings

fixed, xrefs: 00984635, 0098463A
ramdisk, xrefs: 009846F1
all, xrefs: 00984531, 00984536
network, xrefs: 0098469D, 009846A2
cdrom, xrefs: 0098458F, 00984594
removable, xrefs: 009845EA, 009845EF
unknown, xrefs: 00984708

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 5a3276187ddf0bd08d5815b575f0acb0c6f84244faf708b8ed0e64efe095917f
Instruction ID: 30acea8ff3ffafdf1a2bd7be95ce3c9d49a66f48f6c0e880747921f2cde1326a
Opcode Fuzzy Hash: 5a3276187ddf0bd08d5815b575f0acb0c6f84244faf708b8ed0e64efe095917f
Instruction Fuzzy Hash: 25B1AE716083029FC710EF28C890A6EB7E9AFE5764F50891DF496C7391E734D985CBA2

Function 0091326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(009E1990), ref: 00952F8D
GetMenuItemCount.USER32(009E1990), ref: 0095303D
GetCursorPos.USER32(?), ref: 00953081
SetForegroundWindow.USER32(00000000), ref: 0095308A
TrackPopupMenuEx.USER32(009E1990,00000000,?,00000000,00000000,00000000), ref: 0095309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009530A9

Strings

0, xrefs: 0091327D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 59a73f6087dd12cfd5a53785c35b3fcd6e1530aae03c474ca1b9190f36787135
Instruction ID: de848054c7f9c72e381daefa692e5700127851d914e4e24cbc025acb2963bbf1
Opcode Fuzzy Hash: 59a73f6087dd12cfd5a53785c35b3fcd6e1530aae03c474ca1b9190f36787135
Instruction Fuzzy Hash: 66713871644205BEEB21DF25DC49F9ABF78FF02364F208206F9246A1E0C7B1A954DB90

Function 009A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 009A6DEB

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009A6E94
DestroyWindow.USER32(?), ref: 009A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00910000,00000000), ref: 009A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009A6EFD
GetDesktopWindow.USER32 ref: 009A6F16
GetWindowRect.USER32(00000000), ref: 009A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009A6F4D

Part of subcall function 00929944: GetWindowLongW.USER32(?,000000EB), ref: 00929952

Strings

tooltips_class32, xrefs: 009A6E58, 009A6EDD
0, xrefs: 009A6D98

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b07f7b68ffdfa4ce4fc840d063f32ca2ce8af54a8d5624f16a8f35e568a68442
Instruction ID: 463dc14d773bf8ed4032cd3bc44e44e8a3937f03d592d4b812e6aea3cd3d8438
Opcode Fuzzy Hash: b07f7b68ffdfa4ce4fc840d063f32ca2ce8af54a8d5624f16a8f35e568a68442
Instruction Fuzzy Hash: 02714974548245AFDB21CF18EC44BAABBE9FB8A304F18041DF9998B2A1C770AD45DB91

Function 009A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

DragQueryPoint.SHELL32(?,?), ref: 009A9147

Part of subcall function 009A7674: ClientToScreen.USER32(?,?), ref: 009A769A
Part of subcall function 009A7674: GetWindowRect.USER32(?,?), ref: 009A7710
Part of subcall function 009A7674: PtInRect.USER32(?,?,009A8B89), ref: 009A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 009A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 009A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 009A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 009A9277
DragFinish.SHELL32(?), ref: 009A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009A9371

Strings

@GUI_DRAGID, xrefs: 009A92E9
@GUI_DRAGFILE, xrefs: 009A9320
@GUI_DROPID, xrefs: 009A929E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4c3c62b86b1030278e7a316b020c9a01f06d82649781bb23cd3854bd8070bd6b
Instruction ID: c8b1bfd35dd698f06516fa66e0d57061a2436c3db75adc96fff999f3cd8c1e0b
Opcode Fuzzy Hash: 4c3c62b86b1030278e7a316b020c9a01f06d82649781bb23cd3854bd8070bd6b
Instruction Fuzzy Hash: 3B615971108305AFC705DF64DC85EAFBBE8EFCA750F00091EF596962A1DB709A49CB92

Function 0098C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0098C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0098C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0098C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0098C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0098C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0098C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0098C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0098C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0098C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0098C5F0
InternetCloseHandle.WININET(00000000), ref: 0098C5FB

Strings

, xrefs: 0098C575

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d9ea669e1c63e034e70d43b2c9350e76e84c718c019faf03f8e603934a838c3f
Instruction ID: 79823d368f33c79fcb3dd24665f349747bb1af629da933b0e0bf52ab97dbc659
Opcode Fuzzy Hash: d9ea669e1c63e034e70d43b2c9350e76e84c718c019faf03f8e603934a838c3f
Instruction Fuzzy Hash: 61516BF1514209BFDB21AF60C988AAB7BFCFF09754F00442AF945DA210DB34E944ABB0

Function 009A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 009A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85BA
GlobalLock.KERNEL32(00000000), ref: 009A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85D7
GlobalUnlock.KERNEL32(00000000), ref: 009A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,009AFC38,?), ref: 009A8611
GlobalFree.KERNEL32(00000000), ref: 009A8621
GetObjectW.GDI32(?,00000018,?), ref: 009A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 009A8671
DeleteObject.GDI32(?), ref: 009A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009A86AF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: dd79a42155acc445b19a0bb4cca8d0a1f8e09aa8c373fc3ca6272e0bdafb28e5
Instruction ID: 64ef9ae91c5a0c223e5b5aaeb8a6c9c0a466c99a1023808587fb38d3909022e9
Opcode Fuzzy Hash: dd79a42155acc445b19a0bb4cca8d0a1f8e09aa8c373fc3ca6272e0bdafb28e5
Instruction Fuzzy Hash: 5B4107B5614208AFDB119FA5CC48EAB7BBCEF8AB15F104058F915EB260DB309901DBA0

Function 009814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00981502
VariantCopy.OLEAUT32(?,?), ref: 0098150B
VariantClear.OLEAUT32(?), ref: 00981517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00981657
VariantInit.OLEAUT32(?), ref: 00981708
SysFreeString.OLEAUT32(?), ref: 0098178C
VariantClear.OLEAUT32(?), ref: 009817D8
VariantClear.OLEAUT32(?), ref: 009817E7
VariantInit.OLEAUT32(00000000), ref: 00981823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00981625
Default, xrefs: 009816AF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5b2b5a41cae39e9f21e49bfe4792297595bcace275065a8d01ec2d8a8af3fef1
Instruction ID: 33a63ebec0aa0decb7bc9f78d2ee2982b307411afc2d2fe0c0b5e6e895f80c32
Opcode Fuzzy Hash: 5b2b5a41cae39e9f21e49bfe4792297595bcace275065a8d01ec2d8a8af3fef1
Instruction Fuzzy Hash: 1ED10372A04115DBDB10BF65E885BBDB7B9BF86700F10885AF446AB390DB34DC42DBA1

Function 0099B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 0099C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099C9F1
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA68
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0099B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0099B80A
RegCloseKey.ADVAPI32(?), ref: 0099B87E
RegCloseKey.ADVAPI32(?), ref: 0099B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0099B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0099B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0099B922
FreeLibrary.KERNEL32(00000000), ref: 0099B983
RegCloseKey.ADVAPI32(00000000), ref: 0099B994

Strings

advapi32.dll, xrefs: 0099B8ED
RegDeleteKeyExW, xrefs: 0099B8FE

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 540658d013582c11e0edc53192dccde93742d0e3595dc486b35020daaa2bf2d1
Instruction ID: 7715e49636555228f80d8382e5a700be1666c0bf2b92ec5b1f57cb109c2ef89f
Opcode Fuzzy Hash: 540658d013582c11e0edc53192dccde93742d0e3595dc486b35020daaa2bf2d1
Instruction Fuzzy Hash: CAC19E70208201AFDB10DF18D594F2ABBE5BF85308F14859CF59A4B3A2CB75ED86CB91

Function 0099255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009925E8
CreateCompatibleDC.GDI32(?), ref: 009925F4
SelectObject.GDI32(00000000,?), ref: 00992601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0099266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009926D0
SelectObject.GDI32(?,?), ref: 009926D8
DeleteObject.GDI32(?), ref: 009926E1
DeleteDC.GDI32(?), ref: 009926E8
ReleaseDC.USER32(00000000,?), ref: 009926F3

Strings

(, xrefs: 0099268D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 36b9915dc2795c74bc6c50680aa9b03e4c4e10187622271efdc5d48dbf92be4f
Instruction ID: 28e1a65448fd449359883a856e3fcecc0d220fe96ec28c08a6503abd672654a9
Opcode Fuzzy Hash: 36b9915dc2795c74bc6c50680aa9b03e4c4e10187622271efdc5d48dbf92be4f
Instruction Fuzzy Hash: C461E5B5E04219EFCF05CFA8D884AAEBBF5FF48310F20852AE555A7250D774A941DF90

Function 0094DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0094DAA1

Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D659
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D66B
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D67D
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D68F
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6A1
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6B3
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6C5
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6D7
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6E9
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D6FB
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D70D
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D71F
Part of subcall function 0094D63C: _free.LIBCMT ref: 0094D731

_free.LIBCMT ref: 0094DA96

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094DAB8
_free.LIBCMT ref: 0094DACD
_free.LIBCMT ref: 0094DAD8
_free.LIBCMT ref: 0094DAFA
_free.LIBCMT ref: 0094DB0D
_free.LIBCMT ref: 0094DB1B
_free.LIBCMT ref: 0094DB26
_free.LIBCMT ref: 0094DB5E
_free.LIBCMT ref: 0094DB65
_free.LIBCMT ref: 0094DB82
_free.LIBCMT ref: 0094DB9A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e1abac2d95202534af2b4629b35607e96f432d1ed02940aca0eff76ebc931467
Instruction ID: 82ad1370a5e3dead36d32aa6810c506238f819ec9e0a3d8e5444f66753de8264
Opcode Fuzzy Hash: e1abac2d95202534af2b4629b35607e96f432d1ed02940aca0eff76ebc931467
Instruction Fuzzy Hash: 803145366052059FEB22AB3AE945F5AB7E9FF40310F55442AF448D7291DB30AC808B20

Function 0097365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0097369C
_wcslen.LIBCMT ref: 009736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00973797
GetClassNameW.USER32(?,?,00000400), ref: 0097380C
GetDlgCtrlID.USER32(?), ref: 0097385D
GetWindowRect.USER32(?,?), ref: 00973882
GetParent.USER32(?), ref: 009738A0
ScreenToClient.USER32(00000000), ref: 009738A7
GetClassNameW.USER32(?,?,00000100), ref: 00973921
GetWindowTextW.USER32(?,?,00000400), ref: 0097395D

Strings

%s%u, xrefs: 00973734

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b3a40ca8d2b5af168cbe03adafb657521b65b87946587e869d85e2f4f7cd7eb1
Instruction ID: aaa45a7dc648ddcd51613a4ee622af517fb2609fb3443f513d8669db84b3b837
Opcode Fuzzy Hash: b3a40ca8d2b5af168cbe03adafb657521b65b87946587e869d85e2f4f7cd7eb1
Instruction Fuzzy Hash: D8918F72204606EFD719DF24C885BEAB7A8FF44354F00C629FA9DD6190EB30EA45DB91

Function 00974954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00974994
GetWindowTextW.USER32(?,?,00000400), ref: 009749DA
_wcslen.LIBCMT ref: 009749EB
CharUpperBuffW.USER32(?,00000000), ref: 009749F7
_wcsstr.LIBVCRUNTIME ref: 00974A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00974A64
GetWindowTextW.USER32(?,?,00000400), ref: 00974A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00974AE6
GetClassNameW.USER32(?,?,00000400), ref: 00974B20
GetWindowRect.USER32(?,?), ref: 00974B8B

Strings

ThumbnailClass, xrefs: 00974A6F, 00974AF1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 117b116ebba30f932427d17f16278210965028400293e904d5021ee3763c183b
Instruction ID: 727b9445e258d1e377d4516b3b337eabf7ce3760e3f490d8b22e1b2f1167b5e3
Opcode Fuzzy Hash: 117b116ebba30f932427d17f16278210965028400293e904d5021ee3763c183b
Instruction Fuzzy Hash: C191C0721082069FDB05DF14C981BAAB7ECFF84714F04C46AFD899A096EB30ED45CBA1

Function 009A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009A8D5A
GetFocus.USER32 ref: 009A8D6A
GetDlgCtrlID.USER32(00000000), ref: 009A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 009A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009A8ECF
GetMenuItemCount.USER32(?), ref: 009A8EEC
GetMenuItemID.USER32(?,00000000), ref: 009A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009A8FA1

Strings

0, xrefs: 009A8E9F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 3a3b5c567a2e5db9707b6aff4286ed2ca10ec6f46128dcef25c43e309635fc8c
Instruction ID: 0144e6ab0fa7b5aa072a62d857f814ac072eb630550d7b17bf13540575af678a
Opcode Fuzzy Hash: 3a3b5c567a2e5db9707b6aff4286ed2ca10ec6f46128dcef25c43e309635fc8c
Instruction Fuzzy Hash: 2B819D71508302AFDB20DF24D884AABBBE9FF8A754F140919F9859B291DB70DD01DBE1

Function 0097DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0097DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0097DC46
_wcslen.LIBCMT ref: 0097DC50
_wcsstr.LIBVCRUNTIME ref: 0097DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0097DCBC

Strings

%u.%u.%u.%u, xrefs: 0097DD9A
DefaultLangCodepage, xrefs: 0097DD1F
04090000, xrefs: 0097DCF2
\VarFileInfo\Translation, xrefs: 0097DCB4
StringFileInfo\, xrefs: 0097DC8F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a37f42a19cad3bcfc6a659160a1937e974cb0358a591816aac0f7cbe2c121108
Instruction ID: bc9f39f5e71fb7906ac2d557833678b2ab07a26ba0a170d54f918e5bd1417b51
Opcode Fuzzy Hash: a37f42a19cad3bcfc6a659160a1937e974cb0358a591816aac0f7cbe2c121108
Instruction Fuzzy Hash: 21412373A412147ADB15A774AC47FBF37BCEF86710F10406AF908A61C2EB7599009BA5

Function 0099CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0099CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0099CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0099CD48

Part of subcall function 0099CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0099CCAA
Part of subcall function 0099CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0099CCBD
Part of subcall function 0099CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0099CCCF
Part of subcall function 0099CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0099CD05
Part of subcall function 0099CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0099CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0099CCF3

Strings

advapi32.dll, xrefs: 0099CCB8
RegDeleteKeyExW, xrefs: 0099CCC9

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d5ff91b1a3d37a5127b0d0254cc347fb8c18f8b2ab8760dda486a323545303f3
Instruction ID: f90725def275f2efdd70389053fbcd853d98076e570c05b8d0e66b26934466c2
Opcode Fuzzy Hash: d5ff91b1a3d37a5127b0d0254cc347fb8c18f8b2ab8760dda486a323545303f3
Instruction Fuzzy Hash: AF3180B1A01128BBDB208B54DC88EFFBB7CEF56740F000565E905E6280D7349E45EAF0

Function 00983D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00983D40
_wcslen.LIBCMT ref: 00983D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00983D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00983DBE
RemoveDirectoryW.KERNEL32(?), ref: 00983DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00983E55
CloseHandle.KERNEL32(00000000), ref: 00983E60
CloseHandle.KERNEL32(00000000), ref: 00983E6B

Strings

\??\%s, xrefs: 00983D5B
\, xrefs: 00983D77
:, xrefs: 00983D82

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 3cbf7f17ae5b1a6502089879d21ec7b7c5b1c4087f8ff82b793c564d0e0dde2d
Instruction ID: 4223f14048c10b4d51f8c59b239310acc103ecb08514dd18f43e09054bc1a782
Opcode Fuzzy Hash: 3cbf7f17ae5b1a6502089879d21ec7b7c5b1c4087f8ff82b793c564d0e0dde2d
Instruction Fuzzy Hash: A631C6B1914109ABDB21AFA0DC49FEF37BCEF89B00F1080B5F915D6190EB7497448B64

Function 0097E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0097E6B4

Part of subcall function 0092E551: timeGetTime.WINMM(?,?,0097E6D4), ref: 0092E555

Sleep.KERNEL32(0000000A), ref: 0097E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0097E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0097E727
SetActiveWindow.USER32 ref: 0097E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0097E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0097E773
Sleep.KERNEL32(000000FA), ref: 0097E77E
IsWindow.USER32 ref: 0097E78A
EndDialog.USER32(00000000), ref: 0097E79B

Strings

BUTTON, xrefs: 0097E719

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 325f5d24b78c8606fcafeff6695b7a2e9f4bb1a830a0c0266b8c91d0767ec88a
Instruction ID: f67ccc352fbf47748755a95ea34f98d88de7455e0fcd5d94d66929170ffd504e
Opcode Fuzzy Hash: 325f5d24b78c8606fcafeff6695b7a2e9f4bb1a830a0c0266b8c91d0767ec88a
Instruction Fuzzy Hash: DC2199B222C245AFEF005F24ECC9B293B6DFB59749F109465F50D89171DBB1AC00BA54

Function 0097E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0097EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0097EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0097EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0097EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0097EAA7

Strings

alias PlayMe, xrefs: 0097EA36
play PlayMe, xrefs: 0097EAA2
status PlayMe mode, xrefs: 0097EA58
close PlayMe, xrefs: 0097EA6E, 0097EA9B
open , xrefs: 0097EA0C
play PlayMe wait, xrefs: 0097EA91

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8749a247957461eefb78bffb1c6860c28fb72654f5e63a9e3533d61b9002e3b1
Instruction ID: 935e6a93ce69b194b978a8f376f6585e1f89a1dbe9e5e920ee7867fc972d29dc
Opcode Fuzzy Hash: 8749a247957461eefb78bffb1c6860c28fb72654f5e63a9e3533d61b9002e3b1
Instruction Fuzzy Hash: 1011A032B9021D79D724A7A5DC5AEFF6B7CEBD6F44F40842AB811A20D0EEB01945C5B0

Function 00975CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00975CE2
GetWindowRect.USER32(00000000,?), ref: 00975CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00975D59
GetDlgItem.USER32(?,00000002), ref: 00975D69
GetWindowRect.USER32(00000000,?), ref: 00975D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00975DCF
GetDlgItem.USER32(?,000003E9), ref: 00975DDD
GetWindowRect.USER32(00000000,?), ref: 00975DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00975E31
GetDlgItem.USER32(?,000003EA), ref: 00975E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00975E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00975E67

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 65a9759b34748a5e32f8dc7b63d93cc704fb4fab4793daec2dca11209f3cd5c8
Instruction ID: 7c7df54cb950117a5a0a6767aae33f2f1d85ae0f0c7dc0612cd093ee24cb52c1
Opcode Fuzzy Hash: 65a9759b34748a5e32f8dc7b63d93cc704fb4fab4793daec2dca11209f3cd5c8
Instruction Fuzzy Hash: B751FDB1B10605AFDF18CF68DD89AAEBBB9FF48300F158129F519E6290D7709E04CB90

Function 00928BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00928F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00928BE8,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 00928FC5

DestroyWindow.USER32(?), ref: 00928C81
KillTimer.USER32(00000000,?,?,?,?,00928BBA,00000000,?), ref: 00928D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00966973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 009669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00928BBA,00000000,?), ref: 009669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00928BBA,00000000), ref: 009669D4
DeleteObject.GDI32(00000000), ref: 009669E6

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 40f716a9f79c1146c218c71cd7302cd5909ae12e9d02c8ec7beb1317e2426c17
Instruction ID: f231a7937c5c5aa6ef01bdc313eb3a5406b14919abb3b4770d7e84cdbb1434d9
Opcode Fuzzy Hash: 40f716a9f79c1146c218c71cd7302cd5909ae12e9d02c8ec7beb1317e2426c17
Instruction Fuzzy Hash: 1E61AD71516660DFDB25DF14EA88B2AB7F5FF41312F14491CE0829B5A8CB35AC90EF90

Function 00929838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00929944: GetWindowLongW.USER32(?,000000EB), ref: 00929952

GetSysColor.USER32(0000000F), ref: 00929862

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3e9c341767c7a0a81ed54beac1676c003c0b6c6d3578e4c386d2844e2eb75efb
Instruction ID: 884a24ca2bd9ef312d5bbcd4b6fbba13739322ac0d2e891ab93e3843681d1c43
Opcode Fuzzy Hash: 3e9c341767c7a0a81ed54beac1676c003c0b6c6d3578e4c386d2844e2eb75efb
Instruction Fuzzy Hash: F041D771508654AFDB245F38AC88BB93BA9FF17330F184655F9A28B1E5C7319C42EB50

Function 009796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0095F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00979717
LoadStringW.USER32(00000000,?,0095F7F8,00000001), ref: 00979720

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0095F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00979742
LoadStringW.USER32(00000000,?,0095F7F8,00000001), ref: 00979745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00979866

Strings

Line %d (File "%s"):, xrefs: 0097978F
^ ERROR, xrefs: 009797FB
Error: , xrefs: 0097981D
Line %d:, xrefs: 009797A0
%s (%d) : ==> %s: %s %s, xrefs: 0097984A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8ab35c0de5c2b5e567da6b661b696b4d967861d4359bdbb2f32a2e57d6d955f4
Instruction ID: b0dc41f3b2b739c2d2125fb5d890d1f431c1ea14b91544616619a116205c6742
Opcode Fuzzy Hash: 8ab35c0de5c2b5e567da6b661b696b4d967861d4359bdbb2f32a2e57d6d955f4
Instruction Fuzzy Hash: 2541607290420DAADF04EBE0DD96EEEB378EF95340F504065F60672092EB356F89CB61

Function 009706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00970804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0097082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00970837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0097083C

Strings

\CLSID, xrefs: 00970724
SOFTWARE\Classes\, xrefs: 0097070E
\IPC$, xrefs: 00970784

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: a9ba808bfd9caeeb4c3b300551c135cb94c6ce76f5b0ade884a62b428584d89f
Instruction ID: c2cfc31ae6ce721af013af083b260ef793d55db7b2f5bde49504e0a46699963b
Opcode Fuzzy Hash: a9ba808bfd9caeeb4c3b300551c135cb94c6ce76f5b0ade884a62b428584d89f
Instruction Fuzzy Hash: 7E413872D1022CEBCF15EBA4DC95DEDB778BF84350F44812AE915A7160EB30AE44CB90

Function 00993C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00993C5C
CoInitialize.OLE32(00000000), ref: 00993C8A
CoUninitialize.OLE32 ref: 00993C94
_wcslen.LIBCMT ref: 00993D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00993DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00993ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00993F0E
CoGetObject.OLE32(?,00000000,009AFB98,?), ref: 00993F2D
SetErrorMode.KERNEL32(00000000), ref: 00993F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00993FC4
VariantClear.OLEAUT32(?), ref: 00993FD8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 539afd39048de1b0cadde9df4391867d2183c2483683153cfddab48de4e5f93b
Instruction ID: 3f35f6b8b27b8fcc579474a3cb7a36c60b454d63f00127d28e1a266d96bda052
Opcode Fuzzy Hash: 539afd39048de1b0cadde9df4391867d2183c2483683153cfddab48de4e5f93b
Instruction Fuzzy Hash: 27C136716083059FDB00DF68C89492BBBE9FF89744F14891DF98A9B250DB31EE45CB92

Function 00987A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00987AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00987B8F
SHGetDesktopFolder.SHELL32(?), ref: 00987BA3
CoCreateInstance.OLE32(009AFD08,00000000,00000001,009D6E6C,?), ref: 00987BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00987C74
CoTaskMemFree.OLE32(?,?), ref: 00987CCC
SHBrowseForFolderW.SHELL32(?), ref: 00987D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00987D7A
CoTaskMemFree.OLE32(00000000), ref: 00987D81
CoTaskMemFree.OLE32(00000000), ref: 00987DD6
CoUninitialize.OLE32 ref: 00987DDC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4bebad256bb917c91497e2289ffb72d6607ea64ba571472ddaa686fc703f73c4
Instruction ID: 81b50f12949c1fe89c316917d0a1cb98e715a4396116337fc22a7dc1dfad3067
Opcode Fuzzy Hash: 4bebad256bb917c91497e2289ffb72d6607ea64ba571472ddaa686fc703f73c4
Instruction Fuzzy Hash: 23C1F975A04109AFCB14DFA4C894DAEBBF9FF49314B148499E81ADB361D730EE85CB90

Function 009A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009A5515
CharNextW.USER32(00000158), ref: 009A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009A55AC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 888b367c310733fa840c653ba8eb184e3c59414c18338d4e812742e3e0bfdcd1
Instruction ID: fc0d4fa957aeff0050aa27a535893dd91d063d94584748e13b52ae7dcfc4d029
Opcode Fuzzy Hash: 888b367c310733fa840c653ba8eb184e3c59414c18338d4e812742e3e0bfdcd1
Instruction Fuzzy Hash: 31618B71A04609EBDF10CF94CC85AFE7BB9EF4B720F514545F925AA2A0D7748A80DBE0

Function 0096FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0096FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0096FB08
VariantInit.OLEAUT32(?), ref: 0096FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0096FB3A
VariantCopy.OLEAUT32(?,?), ref: 0096FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0096FBA1
VariantClear.OLEAUT32(?), ref: 0096FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0096FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0096FBCC
VariantClear.OLEAUT32(?), ref: 0096FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0096FBE9

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3c8119da55e151bad8ee55ae1222163ec5a9af61e0573ccf6e22c22a6fd77737
Instruction ID: 817aa2b367c05fadec35923296ee22f6733113baa93fdcab579ee905c9e76c79
Opcode Fuzzy Hash: 3c8119da55e151bad8ee55ae1222163ec5a9af61e0573ccf6e22c22a6fd77737
Instruction Fuzzy Hash: 9C415375A04219DFCB00DFA4D8649EDBBB9FF49344F008069F955AB261DB30E945DF90

Function 00979C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00979CA1
GetAsyncKeyState.USER32(000000A0), ref: 00979D22
GetKeyState.USER32(000000A0), ref: 00979D3D
GetAsyncKeyState.USER32(000000A1), ref: 00979D57
GetKeyState.USER32(000000A1), ref: 00979D6C
GetAsyncKeyState.USER32(00000011), ref: 00979D84
GetKeyState.USER32(00000011), ref: 00979D96
GetAsyncKeyState.USER32(00000012), ref: 00979DAE
GetKeyState.USER32(00000012), ref: 00979DC0
GetAsyncKeyState.USER32(0000005B), ref: 00979DD8
GetKeyState.USER32(0000005B), ref: 00979DEA

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5c9a41adf3efb7e3f1f56dd801c89edafa28d2c2acfab01fedb4f97336ef3478
Instruction ID: 58a78067598f09062e7674cdda8f1f26136c1b810d81c9afd02bbed65471b004
Opcode Fuzzy Hash: 5c9a41adf3efb7e3f1f56dd801c89edafa28d2c2acfab01fedb4f97336ef3478
Instruction Fuzzy Hash: C241EB755087C96DFF31876484043B5BEE8EF12344F08C05AEACE5A6C2EBA499C4C7D2

Function 0099055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009905BC
inet_addr.WSOCK32(?), ref: 0099061C
gethostbyname.WSOCK32(?), ref: 00990628
IcmpCreateFile.IPHLPAPI ref: 00990636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009907B9
WSACleanup.WSOCK32 ref: 009907BF

Strings

Ping, xrefs: 00990676

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c923470c29d0da6c6b9ae87d8cd5077e0cc115789935c3f7a20992a70e71d1c5
Instruction ID: 5cd283674a37a8ab5ad3c5cd556d2e3d3baa6f71098194d4f44f394e18e95885
Opcode Fuzzy Hash: c923470c29d0da6c6b9ae87d8cd5077e0cc115789935c3f7a20992a70e71d1c5
Instruction Fuzzy Hash: 8A9180756082019FD720CF19D889F1ABBE4AF84328F1585A9F4698B7A2C734FD85CF91

Function 00998CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00998CF3

Part of subcall function 00978E54: _wcslen.LIBCMT ref: 00978E77

_wcslen.LIBCMT ref: 00998D4E
_wcslen.LIBCMT ref: 00998D9C
_wcslen.LIBCMT ref: 00998DDC
_wcslen.LIBCMT ref: 00998E6E

Strings

none, xrefs: 00998E65, 00998E6A
cdecl, xrefs: 00998D48, 00998D4D
winapi, xrefs: 00998D96, 00998D9B
stdcall, xrefs: 00998DD6, 00998DDB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 3967a293c3d34d3703ef5e65274c039eba3ccce7ec3d5c11a5bc964449a5b15b
Instruction ID: e3833633bbb0373b206783d64b63d54d7f8d4284b6724c79c0b28af331afa2c2
Opcode Fuzzy Hash: 3967a293c3d34d3703ef5e65274c039eba3ccce7ec3d5c11a5bc964449a5b15b
Instruction Fuzzy Hash: 5E51B131A001169BCF24EFACC8509BFB3A9BF66724B21462DE426E72C4EB35DD40C790

Function 0099372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00993774
CoUninitialize.OLE32 ref: 0099377F
CoCreateInstance.OLE32(?,00000000,00000017,009AFB78,?), ref: 009937D9
IIDFromString.OLE32(?,?), ref: 0099384C
VariantInit.OLEAUT32(?), ref: 009938E4
VariantClear.OLEAUT32(?), ref: 00993936

Strings

Failed to create object, xrefs: 009937E4, 0099389A
Invalid parameter, xrefs: 00993865
NULL Pointer assignment, xrefs: 0099381E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: fe6b4ab0119ed96c59120db038abddbe5dde5c5ccc41d5680b09e6e5680e0ca8
Instruction ID: 6f93a559469324d1b9f5506608a39509f21b016fb8d19d6ee5854cd151e2ac4b
Opcode Fuzzy Hash: fe6b4ab0119ed96c59120db038abddbe5dde5c5ccc41d5680b09e6e5680e0ca8
Instruction Fuzzy Hash: 1361B2B1608301AFD710DF99C848F6AB7E8EF89714F00880DF9859B291D774EE48CB92

Function 00988195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00988257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00988267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00988273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00988310
SetCurrentDirectoryW.KERNEL32(?), ref: 00988324
SetCurrentDirectoryW.KERNEL32(?), ref: 00988356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0098838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00988395

Strings

*.*, xrefs: 0098839B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2a18a32f372e2e448fef12a615c4c94e01c6a80ba9ef0aa3e8694e1f251dc112
Instruction ID: 08c729553e5bf537c642a148cbc167ecd825c898ef971cf0fe8d0a2987cedf95
Opcode Fuzzy Hash: 2a18a32f372e2e448fef12a615c4c94e01c6a80ba9ef0aa3e8694e1f251dc112
Instruction Fuzzy Hash: A2616FB25083059FCB10EF54C844A9FB3E9FF89310F44891EF99997251DB35E945CBA2

Function 00983388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009833CF

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009833F0

Strings

Line %d (File "%s"):, xrefs: 00983443, 0098345C
Error: , xrefs: 009834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00983504
"%s" (%d) : ==> %s:, xrefs: 00983522
^ ERROR , xrefs: 0098349E
Incorrect parameters to object property !, xrefs: 009834AB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: bd5f190e8d4ea699060ddb9d580c8c266bdcc5475bfee3ab546fd6b47fd7b22b
Instruction ID: b4c4b1dc05dc4a0d4c657dd6e4e8780c6104f2e783da302f7c4869577fab1392
Opcode Fuzzy Hash: bd5f190e8d4ea699060ddb9d580c8c266bdcc5475bfee3ab546fd6b47fd7b22b
Instruction Fuzzy Hash: 9F519272904209AADF14EBE0DD52FEEB778EF44740F108065F50972161EB356F98DB60

Function 0097B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0097B5FC
_wcslen.LIBCMT ref: 0097B608
_wcslen.LIBCMT ref: 0097B64D
_wcslen.LIBCMT ref: 0097B68C
_wcslen.LIBCMT ref: 0097B6C7

Strings

REMOVE, xrefs: 0097B602, 0097B607
KEYS, xrefs: 0097B647, 0097B64C
APPEND, xrefs: 0097B6C1, 0097B6C6
EXISTS, xrefs: 0097B686, 0097B68B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4171929c8ed09b5c6a7f5adc19f4a15436c156e9adc51e453dbe67f8dbe7542c
Instruction ID: adf016cf42824a49fe886a113ba1fd5405a2703d944b2a4e76fc3f780aea3e8c
Opcode Fuzzy Hash: 4171929c8ed09b5c6a7f5adc19f4a15436c156e9adc51e453dbe67f8dbe7542c
Instruction Fuzzy Hash: 5F41DB33A001269ACB205F7DC8907BE77A9BFA0774B258129E629DB284E735CD81C790

Function 00985393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00985416
GetLastError.KERNEL32 ref: 00985420
SetErrorMode.KERNEL32(00000000,READY), ref: 009854A7

Strings

INVALID, xrefs: 00985459
NOTREADY, xrefs: 0098544B
UNKNOWN, xrefs: 00985444
READY, xrefs: 00985460, 00985468
READONLY, xrefs: 00985452

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8b589570026240bc0079e7fdc7fe6f0ed93381cc3472a6678274050b871b12e2
Instruction ID: 3595ab0051776f77de7d766630b7dc56c7125aa76db8e4545d32424bd30ab689
Opcode Fuzzy Hash: 8b589570026240bc0079e7fdc7fe6f0ed93381cc3472a6678274050b871b12e2
Instruction Fuzzy Hash: E3318F75A006059FD710EF68C884BAABBF8EF45305F158065E405CF3A2DB75DD8ACB90

Function 009A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009A3C79
SetMenu.USER32(?,00000000), ref: 009A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009A3D10
IsMenu.USER32(?), ref: 009A3D24
CreatePopupMenu.USER32 ref: 009A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009A3D5B
DrawMenuBar.USER32 ref: 009A3D63

Strings

0, xrefs: 009A3C54
F, xrefs: 009A3D4E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4a5fddbe3b3ccbcd9f048c96502bd1ef1813742e9784671457d584521b204b38
Instruction ID: 6cb4148ba825f6ec22b341c8371c29d9949edf36465b89b22bfb7fa063e0755e
Opcode Fuzzy Hash: 4a5fddbe3b3ccbcd9f048c96502bd1ef1813742e9784671457d584521b204b38
Instruction Fuzzy Hash: E0415E75A15209EFDB14CF64D884ADA77B9FF4A350F144029F946AB3A0D730AE10DF94

Function 00971EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00971F64
GetDlgCtrlID.USER32 ref: 00971F6F
GetParent.USER32 ref: 00971F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00971F8E
GetDlgCtrlID.USER32(?), ref: 00971F97
GetParent.USER32(?), ref: 00971FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00971FAE

Strings

ComboBox, xrefs: 00971EEC
ListBox, xrefs: 00971F21

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: df6e9043a9a3abe1f5e598fd8302eccc284a02160248f52768c1fdd9aeb2757d
Instruction ID: 6f74d3676f103d5da209d97d15511dc45ec8b272c90160bf5d48f569ae51f73b
Opcode Fuzzy Hash: df6e9043a9a3abe1f5e598fd8302eccc284a02160248f52768c1fdd9aeb2757d
Instruction Fuzzy Hash: 4521C271A00218BBCF05EFA4CC95EEEBBB8EF46350B108156F9A567291DB385944DBA0

Function 009A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 009A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009A3C13

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b7a0fea38018bf5abb7b8aecb7c4e9ee9279d84b9d903eaaefb52ce0a074d03e
Instruction ID: 5e4cdc3aa5eae63d7a679a1b6f91421a1c588d95992976af8fdf1f8451f83a38
Opcode Fuzzy Hash: b7a0fea38018bf5abb7b8aecb7c4e9ee9279d84b9d903eaaefb52ce0a074d03e
Instruction Fuzzy Hash: DC617E75900248AFDB10DFA4CC81EEE77F8EF49710F104159FA15AB291D774AE45DBA0

Function 0097B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0097B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B165
GetWindowThreadProcessId.USER32(00000000), ref: 0097B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0097B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0097A1E1,?,00000001), ref: 0097B21D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d8da45803a1b6fc80501651d88ed8426b607c477e92eb3947889951d2f008f57
Instruction ID: 6832a06c5c383bbea55ed04de950798e03c0b77d35579d162450af4d98f3e89f
Opcode Fuzzy Hash: d8da45803a1b6fc80501651d88ed8426b607c477e92eb3947889951d2f008f57
Instruction Fuzzy Hash: D8315CB6528208FFDB109F64DC88B6D7BADAF62312F10C415FA19DB191D7B49E409FA0

Function 00942C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00942C94

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 00942CA0
_free.LIBCMT ref: 00942CAB
_free.LIBCMT ref: 00942CB6
_free.LIBCMT ref: 00942CC1
_free.LIBCMT ref: 00942CCC
_free.LIBCMT ref: 00942CD7
_free.LIBCMT ref: 00942CE2
_free.LIBCMT ref: 00942CED
_free.LIBCMT ref: 00942CFB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f06cf86e0fca99c0be2d30819eb200e2cfb95cf825d39c540f0bc2e32aa2c81f
Instruction ID: 297157afeb104a21b2d6a5d03fdb24c1b97a025fc78e002017bb1e94c1b967f6
Opcode Fuzzy Hash: f06cf86e0fca99c0be2d30819eb200e2cfb95cf825d39c540f0bc2e32aa2c81f
Instruction Fuzzy Hash: 2A11C576100108BFDB02EF95DA92EDD3BA9FF45350F9144A5FA489F232DA31EE509B90

Function 00987DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00987FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00987FC1
GetFileAttributesW.KERNEL32(?), ref: 00987FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00988005
SetCurrentDirectoryW.KERNEL32(?), ref: 00988017
SetCurrentDirectoryW.KERNEL32(?), ref: 00988060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009880B0

Strings

*.*, xrefs: 00988066

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: c3bd42bc77ce1d8687c18de279ded6332bd674d56eb4d1cb5710c5219e9ab19a
Instruction ID: 9992a56852fba7b6a5e11c1be95eecfc6f4e0cd73ec22ccc34a1c7020fdf8684
Opcode Fuzzy Hash: c3bd42bc77ce1d8687c18de279ded6332bd674d56eb4d1cb5710c5219e9ab19a
Instruction Fuzzy Hash: F381A2725082059BCB20FF94C444AAAF3E8BF89310F644C5EF889D7361EB35DD458B92

Function 00915BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00915C7A

Part of subcall function 00915D0A: GetClientRect.USER32(?,?), ref: 00915D30
Part of subcall function 00915D0A: GetWindowRect.USER32(?,?), ref: 00915D71
Part of subcall function 00915D0A: ScreenToClient.USER32(?,?), ref: 00915D99

GetDC.USER32 ref: 009546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00954708
SelectObject.GDI32(00000000,00000000), ref: 00954716
SelectObject.GDI32(00000000,00000000), ref: 0095472B
ReleaseDC.USER32(?,00000000), ref: 00954733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009547C4

Strings

U, xrefs: 00954693

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b345c56cae30821a8f141d71077ba0cf1b73ed22c077b01788dab6bc1de36d94
Instruction ID: 7ccbc4781743c3766aee89866634a286456bc451cf211f6ed65f8a602aa12122
Opcode Fuzzy Hash: b345c56cae30821a8f141d71077ba0cf1b73ed22c077b01788dab6bc1de36d94
Instruction Fuzzy Hash: CC71FF34504209DFCF21CF64C984AEA3BB9FF8A32AF154229ED555A2A6C7308CC5DF90

Function 0098359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009835E4

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

LoadStringW.USER32(009E2390,?,00000FFF,?), ref: 0098360A

Strings

Line %d (File "%s"):, xrefs: 0098366B
^ ERROR, xrefs: 009836C9
Error: , xrefs: 009836EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00983724
"%s" (%d) : ==> %s:, xrefs: 00983742

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 43b845855e516d1228db3b78efeee5d396b6cff9cddfa5a2d62e009df19d12f4
Instruction ID: 1a8783693c2909fd8719facd2ecf14d183f948c316f86614420b1c8f44a1394a
Opcode Fuzzy Hash: 43b845855e516d1228db3b78efeee5d396b6cff9cddfa5a2d62e009df19d12f4
Instruction Fuzzy Hash: 7A517E72900209BADF14EBA0DC52FEDBB38EF84740F548125F515721A1EB306AD9DFA0

Function 009A8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

Part of subcall function 0092912D: GetCursorPos.USER32(?), ref: 00929141
Part of subcall function 0092912D: ScreenToClient.USER32(00000000,?), ref: 0092915E
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000001), ref: 00929183
Part of subcall function 0092912D: GetAsyncKeyState.USER32(00000002), ref: 0092919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 009A8B6B
ImageList_EndDrag.COMCTL32 ref: 009A8B71
ReleaseCapture.USER32 ref: 009A8B77
SetWindowTextW.USER32(?,00000000), ref: 009A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 009A8CFF

Strings

@GUI_DRAGFILE, xrefs: 009A8C9A
@GUI_DROPID, xrefs: 009A8C51

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 43a58c72d8944f1e4a53536473b76d816e0da90529a7245324dbad837f444668
Instruction ID: af32ae2f63f121798aaa67e60d82f2c00eb0ad1b406b56eedc079238f194a454
Opcode Fuzzy Hash: 43a58c72d8944f1e4a53536473b76d816e0da90529a7245324dbad837f444668
Instruction Fuzzy Hash: BF518B70208344AFD714DF14DC96FAA77E4FB89754F000629F9966B2A2DB709D44CBA2

Function 0098C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0098C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0098C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0098C2CA
GetLastError.KERNEL32 ref: 0098C322
SetEvent.KERNEL32(?), ref: 0098C336
InternetCloseHandle.WININET(00000000), ref: 0098C341

Strings

, xrefs: 0098C2BB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 42959bfb5fcb5fa08e7eb758f04b414b3791c43168eab0795673e161621c1b00
Instruction ID: 324849d781b878f68d655ffb295d42f23c809ada8e275f68f1b9e92c5d05535b
Opcode Fuzzy Hash: 42959bfb5fcb5fa08e7eb758f04b414b3791c43168eab0795673e161621c1b00
Instruction Fuzzy Hash: 473169F1604608AFDB21AFA49888AAB7BFCEF4A744B10851EF446D6340DB34DD059BB0

Function 0097989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00953AAF,?,?,Bad directive syntax error,009ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009798BC
LoadStringW.USER32(00000000,?,00953AAF,?), ref: 009798C3

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00979987

Strings

Line %d (File "%s"):, xrefs: 0097992D
Error: , xrefs: 00979955
%s (%d) : ==> %s.: %s %s, xrefs: 009798F1
., xrefs: 0097996D
Line %d:, xrefs: 00979912

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8133bfdd35b5ff313929bc628545923372d81019fe5347aa326d23f240936951
Instruction ID: 48a594f1aabb0e31df7ec0a57203c67d9c7d9b5016bc020be1f86d62119f9803
Opcode Fuzzy Hash: 8133bfdd35b5ff313929bc628545923372d81019fe5347aa326d23f240936951
Instruction Fuzzy Hash: 6D21B13294021EABDF11EF90CC16FEE7779FF58304F048466F629660A2EB31A658DB50

Function 0097209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0097214D

Strings

SHELLDLL_DefView, xrefs: 009720CC
list, xrefs: 0097212F
largeicons, xrefs: 009720E1
details, xrefs: 009720FB
smallicons, xrefs: 00972115

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 84e240b9665705913022e22b41ce0016256996db278305e8f459e97eb79d7fda
Instruction ID: 664afe839fc361cfb28c47bd92bbebb30dccf2bd66ad6d23047201deba0d7588
Opcode Fuzzy Hash: 84e240b9665705913022e22b41ce0016256996db278305e8f459e97eb79d7fda
Instruction Fuzzy Hash: E411067B6DC707B9F6016720DC06EB6379CEF45328F618017FB08E91E1EE69A8015B54

Function 00948D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55cd2663b6e7a6a55a87adbee2d601be4a3fbcf46925f33851c15025047d541
Instruction ID: 8083d4decfa73b029cfedffb26d45f9e72192c1e6b171c7d642f915c61617ff9
Opcode Fuzzy Hash: d55cd2663b6e7a6a55a87adbee2d601be4a3fbcf46925f33851c15025047d541
Instruction Fuzzy Hash: 94C1D074E04249AFDF11DFA8D881FAFBBB8AF49310F044199F814AB392CB749941CB61

Function 0094CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0094CEB7
_free.LIBCMT ref: 0094CF22
_free.LIBCMT ref: 0094CF48
_free.LIBCMT ref: 0094CF71
_free.LIBCMT ref: 0094CFA9
_free.LIBCMT ref: 0094CFDA
_free.LIBCMT ref: 0094D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0094D09C
_free.LIBCMT ref: 0094D0B5

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b6758646d107a4575cf67f6f5c1c85be13979989c489b408ca1505356336758e
Instruction ID: f659ff457532438e89b0f149af2797348cfda4be185e4ba9f59cd2d353298d1a
Opcode Fuzzy Hash: b6758646d107a4575cf67f6f5c1c85be13979989c489b408ca1505356336758e
Instruction Fuzzy Hash: 11618DB1906301AFDF21AFB4DC91F6E7BA9EF45310F4441ADF9409B282DB399D448760

Function 009A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 009A5186
ShowWindow.USER32(?,00000000), ref: 009A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009A51D1

Part of subcall function 009A6FBA: DeleteObject.GDI32(00000000), ref: 009A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 009A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 009A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 009A5296

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 07ea764c6e04b519778451f3757279936339485b28254930a13e1343a9178abc
Instruction ID: 95e8ff4564094b29a06948b3e3a95bcc460e47c7f39168529b827993586d50bf
Opcode Fuzzy Hash: 07ea764c6e04b519778451f3757279936339485b28254930a13e1343a9178abc
Instruction Fuzzy Hash: 3F51A270B59A08BEEF309F24DC49BE83B69EB47321F164011FA259A2E1C775D980DBC0

Function 00928B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00966890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00928874,00000000,00000000,00000000,000000FF,00000000), ref: 00966901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0096691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00928874,00000000,00000000,00000000,000000FF,00000000), ref: 0096692D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7283d1ba602a74ece175ee067580ab65bc872d5444ef78322134016d3ec1fa0c
Instruction ID: df631433e8549cd8e0d75c9db5884ad8420729f15ea1ad8ab44c3c9c9cf6fef9
Opcode Fuzzy Hash: 7283d1ba602a74ece175ee067580ab65bc872d5444ef78322134016d3ec1fa0c
Instruction Fuzzy Hash: EE515BB0610209AFDB24CF24DC95FAA7BB9EF98750F10451CF9569B2A0DB70E990DB90

Function 0098C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0098C182
GetLastError.KERNEL32 ref: 0098C195
SetEvent.KERNEL32(?), ref: 0098C1A9

Part of subcall function 0098C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0098C272
Part of subcall function 0098C253: GetLastError.KERNEL32 ref: 0098C322
Part of subcall function 0098C253: SetEvent.KERNEL32(?), ref: 0098C336
Part of subcall function 0098C253: InternetCloseHandle.WININET(00000000), ref: 0098C341

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7bcfae296122d0544862d4b7e9911833717d060b965bbc363bcadc806e99c569
Instruction ID: c77e28482c2fdd7203443c1716f6de224dbc7cd0c199c2b894e05ccb9042ba7d
Opcode Fuzzy Hash: 7bcfae296122d0544862d4b7e9911833717d060b965bbc363bcadc806e99c569
Instruction Fuzzy Hash: C2317CB1204601BFDB21AFA5DC48A66BBECFF59310B00841DF96686760DB35E814ABB0

Function 009725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00973A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00973A57
Part of subcall function 00973A3D: GetCurrentThreadId.KERNEL32 ref: 00973A5E
Part of subcall function 00973A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009725B3), ref: 00973A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00972601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00972605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0097260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00972623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00972627

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0dc333b5b5f0e7aaf82620d9cfa58cb0db120a9f7418290f7006a978946d3bb9
Instruction ID: b5ecbceb28dfe924bcfd7b1fdb449f34ecac83d64b584b516274a4638cb79b49
Opcode Fuzzy Hash: 0dc333b5b5f0e7aaf82620d9cfa58cb0db120a9f7418290f7006a978946d3bb9
Instruction Fuzzy Hash: 3601D8713A8210BBFB1067689C8AF593F59DF8EB11F104001F318AE0D1C9E114459AA9

Function 00971803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00971449,?,?,00000000), ref: 0097180C
HeapAlloc.KERNEL32(00000000,?,00971449,?,?,00000000), ref: 00971813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00971449,?,?,00000000), ref: 00971828
GetCurrentProcess.KERNEL32(?,00000000,?,00971449,?,?,00000000), ref: 00971830
DuplicateHandle.KERNEL32(00000000,?,00971449,?,?,00000000), ref: 00971833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00971449,?,?,00000000), ref: 00971843
GetCurrentProcess.KERNEL32(00971449,00000000,?,00971449,?,?,00000000), ref: 0097184B
DuplicateHandle.KERNEL32(00000000,?,00971449,?,?,00000000), ref: 0097184E
CreateThread.KERNEL32(00000000,00000000,00971874,00000000,00000000,00000000), ref: 00971868

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 109a999761235daa73ec0c16d788d91a7336ac21c901ba171f6169a2894227ee
Instruction ID: 2bd291d10cfd35f20a9007d45574915062d343b77c77ee1e9ee66ab57b287d75
Opcode Fuzzy Hash: 109a999761235daa73ec0c16d788d91a7336ac21c901ba171f6169a2894227ee
Instruction Fuzzy Hash: DA01A8B5354308BFE610ABA5DC49F6B3BACEB8AB11F008411FA05DB1A1DA7098009B60

Function 0099A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0097D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0097D501
Part of subcall function 0097D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0097D50F
Part of subcall function 0097D4DC: CloseHandle.KERNEL32(00000000), ref: 0097D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0099A16D
GetLastError.KERNEL32 ref: 0099A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0099A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0099A268
GetLastError.KERNEL32(00000000), ref: 0099A273
CloseHandle.KERNEL32(00000000), ref: 0099A2C4

Strings

SeDebugPrivilege, xrefs: 0099A18F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2671a2ced46198db0af5cd3bf3a2d3e2a5efdd9f08e648c02ae494f478c45c95
Instruction ID: 2a22447e3700225eba3b55a9d4f7424af5dd1bb100bb3f96a0586cc67ff9a1eb
Opcode Fuzzy Hash: 2671a2ced46198db0af5cd3bf3a2d3e2a5efdd9f08e648c02ae494f478c45c95
Instruction Fuzzy Hash: 4D616C71208242AFDB20DF18C494F59BBE5EF94318F14849CE4664B7A2C776ED86CBD2

Function 009A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009A3954
_wcslen.LIBCMT ref: 009A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009A39F4

Strings

SysListView32, xrefs: 009A38F7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d1bedac2d41fdfddd892c05b254efd49eba15609566bf42793790dfce0de7f5a
Instruction ID: a73720c0436c88056691197cd748601edb05a73d34e0c3c4bb358290f835b319
Opcode Fuzzy Hash: d1bedac2d41fdfddd892c05b254efd49eba15609566bf42793790dfce0de7f5a
Instruction Fuzzy Hash: D841C171A00219ABEF21DF64CC49FEA7BA9EF49354F104526F948E7281D7B59E80CBD0

Function 0097BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0097BCFD
IsMenu.USER32(00000000), ref: 0097BD1D
CreatePopupMenu.USER32 ref: 0097BD53
GetMenuItemCount.USER32(015A7218), ref: 0097BDA4
InsertMenuItemW.USER32(015A7218,?,00000001,00000030), ref: 0097BDCC

Strings

2, xrefs: 0097BD37
0, xrefs: 0097BCA8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: bc321bf81b0262fb323ea001a2f4ef7a8e843d66020070f217d3223f1639e6c4
Instruction ID: 25455eafa1b6ae009f5bf412b87bfb0b45d575659f7924a41895c35c0826312e
Opcode Fuzzy Hash: bc321bf81b0262fb323ea001a2f4ef7a8e843d66020070f217d3223f1639e6c4
Instruction Fuzzy Hash: 5E519CB2A042059FDB21CFA8D888BAEBBF8AF85314F14C519F559DB2D1E7709940CB61

Function 0097C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0097C913

Strings

question, xrefs: 0097C8CC
info, xrefs: 0097C8B4
warning, xrefs: 0097C8FC
blank, xrefs: 0097C895
stop, xrefs: 0097C8E4

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e39b8ed89bef719b9b01202fa9a62584f04533a4feb4ff8c1e11d44b2568f5cc
Instruction ID: 4ec15e4d1fd5ac739503c657c8e5776e1cde5cec7ba2d1dbeddecec84940d4bf
Opcode Fuzzy Hash: e39b8ed89bef719b9b01202fa9a62584f04533a4feb4ff8c1e11d44b2568f5cc
Instruction Fuzzy Hash: 78113A7368930ABAE7009B149C83DEA679CDF55318F20842FF608E6282E7B46E005769

Function 0097ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0097ED2A
_wcslen.LIBCMT ref: 0097ED3B
_wcslen.LIBCMT ref: 0097ED79
_wcslen.LIBCMT ref: 0097EDAF
_wcslen.LIBCMT ref: 0097EDDF
_wcslen.LIBCMT ref: 0097EDEF
_wcslen.LIBCMT ref: 0097EE2B
_wcslen.LIBCMT ref: 0097EE5A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b6b2d527f5ac16d0caa18675f609775ed84ed039f3ffc40cf5ae3cc9648eeac1
Instruction ID: e93251b02a5888121b844a8246f051e9b2012d33771d4dcc2d82a58625434509
Opcode Fuzzy Hash: b6b2d527f5ac16d0caa18675f609775ed84ed039f3ffc40cf5ae3cc9648eeac1
Instruction Fuzzy Hash: AA419666C1111875CB11EBF4888ABCF77ACAF89710F518462F528E3121FB34E255CBA5

Function 0092F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 0092F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 0096F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 0096F454

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 35f2fbbec99882e2b9abfa2262293999135f47a39ef9714149bb2de842a73a32
Instruction ID: 3c87697926a1e2773adfd473f16111e515bab132ae4f63f50cd005f622995a32
Opcode Fuzzy Hash: 35f2fbbec99882e2b9abfa2262293999135f47a39ef9714149bb2de842a73a32
Instruction Fuzzy Hash: 74416D3960C790BAC7388B2DF8B8B2A7BF9AF46350F14443CF04756668C635A8C0DB50

Function 009A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009A2D1B
GetDC.USER32(00000000), ref: 009A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 009A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 009A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009A2DE1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d2e074b2a8f19485c9cd9d0a8547d2df00b45bcfab53bb661a68ae558e237852
Instruction ID: c22fa554f47cbccc775223ba73855e75378c10b168834c0a16bd072778d9a71e
Opcode Fuzzy Hash: d2e074b2a8f19485c9cd9d0a8547d2df00b45bcfab53bb661a68ae558e237852
Instruction Fuzzy Hash: 95317CB2215214BFEB118F54CC8AFEB3BADEF0A715F044055FE089E291C6759C50CBA4

Function 00975622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00975637
_memcmp.LIBVCRUNTIME ref: 00975659
_memcmp.LIBVCRUNTIME ref: 00975671
_memcmp.LIBVCRUNTIME ref: 00975684
_memcmp.LIBVCRUNTIME ref: 0097569E
_memcmp.LIBVCRUNTIME ref: 009756B1
_memcmp.LIBVCRUNTIME ref: 009756C9
_memcmp.LIBVCRUNTIME ref: 009756E4

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bbd6053d4c15b5de1a35f4f7016bcb26dc329485a634109ebbc041305d6cd9e3
Instruction ID: b33733b45df1f2c5c11eec1c46151c739cce745c7130e567c23557f8070d8c8e
Opcode Fuzzy Hash: bbd6053d4c15b5de1a35f4f7016bcb26dc329485a634109ebbc041305d6cd9e3
Instruction Fuzzy Hash: BE210B63740A0977D65855218D92FFB335DAFA1398F458020FD0C9A581FBA5EE1085E5

Function 00994FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0099502E, 00995383
Not an Object type, xrefs: 00995007

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 86ccda5f905c75e6df236e6b7e63e9218b4462932536dcd163de4b2011998c9c
Instruction ID: 92c05a8afff6bd1dea61782adbdcca8c6d3d7e9bab4784176e544aaa871eaefa
Opcode Fuzzy Hash: 86ccda5f905c75e6df236e6b7e63e9218b4462932536dcd163de4b2011998c9c
Instruction Fuzzy Hash: 38D1B371A0060ADFDF11CFACC881BAEB7B9BF88344F158469E915AB281E771DD45CB90

Function 00951522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00951651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009517FB,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009516FB

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00951777
__freea.LIBCMT ref: 009517A2
__freea.LIBCMT ref: 009517AE

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 12bd24d197a3835f6f121e7d0b880a8956fd9e1929e7f327fc6078ec9d494e29
Instruction ID: ac3ea8b74a5b46645662341bc329e2a4927352aeec0f374516df395aa1beceed
Opcode Fuzzy Hash: 12bd24d197a3835f6f121e7d0b880a8956fd9e1929e7f327fc6078ec9d494e29
Instruction Fuzzy Hash: 5C919371E002169ADB20CE7AC881FEE7BB99F49311F184659FC06E7141EB35DD89CBA0

Function 00994523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00994648
VariantInit.OLEAUT32(?), ref: 00994749
VariantClear.OLEAUT32(?), ref: 00994753
VariantClear.OLEAUT32(?), ref: 009947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 009945D8, 00994706, 009947BE
Incorrect Object type in FOR..IN loop, xrefs: 0099472C

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: a61fe3dc14eb335cef8521e5b81efe71a44ad83c82886ee885665a50da142615
Instruction ID: 71c678a385d2e674b4896f578da3ccc864c11229645ef22c1504b1d24966512f
Opcode Fuzzy Hash: a61fe3dc14eb335cef8521e5b81efe71a44ad83c82886ee885665a50da142615
Instruction Fuzzy Hash: 3891A471A00219AFDF25CFA8CC44FAEBBB8EF86715F108559F505AB280D7709942CFA0

Function 00981187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0098125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00981284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0098135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00981430

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 3aa056382bc19452af125a4708bba50b5629dea8f3da82ddcd402d82bd1c2293
Instruction ID: 7d3461e00a4657f5646b5be38f80ea2265b0906f886e057e0a1a70d3eb21778a
Opcode Fuzzy Hash: 3aa056382bc19452af125a4708bba50b5629dea8f3da82ddcd402d82bd1c2293
Instruction Fuzzy Hash: F491E371A002199FDB00EFA4C884BBE77BDFF85315F104429E951EB3A1D778A946CB90

Function 0092948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6ec00357324af2abd1a4198aba295ba34ae8c5d08babbb3a5a8131b23870c319
Instruction ID: 19605ca9b0f6487b538330c126b4237479179f9ca326286d098af07bf99ac6c1
Opcode Fuzzy Hash: 6ec00357324af2abd1a4198aba295ba34ae8c5d08babbb3a5a8131b23870c319
Instruction Fuzzy Hash: 76913771E04229EFCB10CFA9DC84AEEBBB8FF49320F144455E915B7255D378A941CBA0

Function 00993947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0099396B
CharUpperBuffW.USER32(?,?), ref: 00993A7A
_wcslen.LIBCMT ref: 00993A8A
VariantClear.OLEAUT32(?), ref: 00993C1F

Part of subcall function 00980CDF: VariantInit.OLEAUT32(00000000), ref: 00980D1F
Part of subcall function 00980CDF: VariantCopy.OLEAUT32(?,?), ref: 00980D28
Part of subcall function 00980CDF: VariantClear.OLEAUT32(?), ref: 00980D34

Strings

Incorrect Parameter format, xrefs: 009939A6, 00993BA1
AUTOIT.ERROR, xrefs: 00993A80, 00993A85

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 75599aa279d1d5bf088d8f396313cc77a9f13e8b314f2180c24304e94c082233
Instruction ID: 179602030b9a2149ce55f356a3c40bf4bc1612a9e4972f3f244716a90d7483ea
Opcode Fuzzy Hash: 75599aa279d1d5bf088d8f396313cc77a9f13e8b314f2180c24304e94c082233
Instruction Fuzzy Hash: D39149756083059FCB00DF68C490A6AB7E9BFC9314F14886DF8899B351DB31EE45CB92

Function 00994BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0097000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?,?,0097035E), ref: 0097002B
Part of subcall function 0097000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970046
Part of subcall function 0097000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970054
Part of subcall function 0097000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?), ref: 00970064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00994C51
_wcslen.LIBCMT ref: 00994D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00994DCF
CoTaskMemFree.OLE32(?), ref: 00994DDA

Strings

NULL Pointer assignment, xrefs: 00994E23, 00994E52

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 49b254bce8859540303b55fc1cac34129f2ecc00120f1bc4f2774ee0d12c9f2e
Instruction ID: e4901b7cbad84e1dac1ca253ea7422c0fa78fa8deaba2ba435979de28c9255b6
Opcode Fuzzy Hash: 49b254bce8859540303b55fc1cac34129f2ecc00120f1bc4f2774ee0d12c9f2e
Instruction Fuzzy Hash: 31912971D0021D9FDF15DFA4C891EEEB7B8BF48310F108569E919A7291EB349A45CFA0

Function 009A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009A2183
GetMenuItemCount.USER32(00000000), ref: 009A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009A21DD
_wcslen.LIBCMT ref: 009A2213
GetMenuItemID.USER32(?,?), ref: 009A224D
GetSubMenu.USER32(?,?), ref: 009A225B

Part of subcall function 00973A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00973A57
Part of subcall function 00973A3D: GetCurrentThreadId.KERNEL32 ref: 00973A5E
Part of subcall function 00973A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009725B3), ref: 00973A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009A22E3

Part of subcall function 0097E97B: Sleep.KERNEL32 ref: 0097E9F3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4aed7dfa226bb2aaaf6e9c0f569096ebbb0b288a9ffd49b3ef1a1af35b782a8e
Instruction ID: be0eae845b280ace466005cce171066a128b9e1fd837b890144fdb590372554b
Opcode Fuzzy Hash: 4aed7dfa226bb2aaaf6e9c0f569096ebbb0b288a9ffd49b3ef1a1af35b782a8e
Instruction Fuzzy Hash: C3717D75A04205AFCB14DF68C845BAEB7F5EF8A310F158469E826EB351DB34ED418BD0

Function 009A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(015A7358), ref: 009A7F37
IsWindowEnabled.USER32(015A7358), ref: 009A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009A801E
SendMessageW.USER32(015A7358,000000B0,?,?), ref: 009A8051
IsDlgButtonChecked.USER32(?,?), ref: 009A8089
GetWindowLongW.USER32(015A7358,000000EC), ref: 009A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009A80C3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5da41e2c5b9279d04766c8878f08fc6206677a1d66e3697c27555c7ab1a69652
Instruction ID: 7ce40e9fb3268a5f873c84e6fa44e31250b90f45fa45a97b16f6b02f0bc96d20
Opcode Fuzzy Hash: 5da41e2c5b9279d04766c8878f08fc6206677a1d66e3697c27555c7ab1a69652
Instruction Fuzzy Hash: 2571AC74608214AFEB21DFA4CC95FEABBB9EF4B300F144459E94597261CB31AE44DBA0

Function 0097AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0097AEF9
GetKeyboardState.USER32(?), ref: 0097AF0E
SetKeyboardState.USER32(?), ref: 0097AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0097AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0097AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0097AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0097B020

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 577b6380ead690fc0e68fcc6c42958e155809f9751c20046fbfc2d7708e18952
Instruction ID: 0da154a88f2257f5cf139bcf83c9814eb3de161a6c09cf1ed0d8c6657ec38fff
Opcode Fuzzy Hash: 577b6380ead690fc0e68fcc6c42958e155809f9751c20046fbfc2d7708e18952
Instruction Fuzzy Hash: B951CFA26086D53DFB3682348C45BBEBEA95B46304F08C589E1ED958C2D398A888D752

Function 0097ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0097AD19
GetKeyboardState.USER32(?), ref: 0097AD2E
SetKeyboardState.USER32(?), ref: 0097AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0097ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0097ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0097AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0097AE38

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5cfe04b07cfaba60c58521c7fb4b19e71f1cac145f43a14cae5865b57cf73757
Instruction ID: 8bd101e56ae551f4e8a1c1ef097a64789006ead7809401a25ef574b2a6f2efc6
Opcode Fuzzy Hash: 5cfe04b07cfaba60c58521c7fb4b19e71f1cac145f43a14cae5865b57cf73757
Instruction Fuzzy Hash: 2051B5A26047D53DFB3683248C55BBE7EAD5F86300F08C589E1DD568C2D294EC84D756

Function 0094542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00953CD6,?,?,?,?,?,?,?,?,00945BA3,?,?,00953CD6,?,?), ref: 00945470
__fassign.LIBCMT ref: 009454EB
__fassign.LIBCMT ref: 00945506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00953CD6,00000005,00000000,00000000), ref: 0094552C
WriteFile.KERNEL32(?,00953CD6,00000000,00945BA3,00000000,?,?,?,?,?,?,?,?,?,00945BA3,?), ref: 0094554B
WriteFile.KERNEL32(?,?,00000001,00945BA3,00000000,?,?,?,?,?,?,?,?,?,00945BA3,?), ref: 00945584

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d6212c4b5f0060b7f263eff5c62dc3b4eea168707abdb44857add6e01935138d
Instruction ID: 730eebb261807ae64e987871568fbad05ce58c65c314f897ddd9826fc94f3a14
Opcode Fuzzy Hash: d6212c4b5f0060b7f263eff5c62dc3b4eea168707abdb44857add6e01935138d
Instruction Fuzzy Hash: FD5103B0A00649AFDB11CFE8D895EEEBBF9EF09300F15451AF545E7292E7309A41CB60

Function 00932D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00932D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00932D53
_ValidateLocalCookies.LIBCMT ref: 00932DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00932E0C
_ValidateLocalCookies.LIBCMT ref: 00932E61

Strings

csm, xrefs: 00932DF6

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c190106f64b5d66a59b46ddfa390d64124cd269ef6dc5cf573462f19290fedd4
Instruction ID: c0745c677518a23c2219b9f81a1307984f86430a9a0d3000dd2532d0fce6cdd5
Opcode Fuzzy Hash: c190106f64b5d66a59b46ddfa390d64124cd269ef6dc5cf573462f19290fedd4
Instruction Fuzzy Hash: 7D418174A00209EBCF10DF68CC85A9EBBB9BF85324F148155E925AB392D735EA05CFD1

Function 009910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0099304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0099307A
Part of subcall function 0099304E: _wcslen.LIBCMT ref: 0099309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00991112
WSAGetLastError.WSOCK32 ref: 00991121
WSAGetLastError.WSOCK32 ref: 009911C9
closesocket.WSOCK32(00000000), ref: 009911F9

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: e24925dd885eebf70723c9dd0b43e05a12a9a2722aed9e92b267e6ca16999c89
Instruction ID: 49890d8dbdd7d5846b19c99490ea9072aa03a36959051564c9a4b66a57571dbd
Opcode Fuzzy Hash: e24925dd885eebf70723c9dd0b43e05a12a9a2722aed9e92b267e6ca16999c89
Instruction Fuzzy Hash: CD410571604205AFDB209F18C884BA9BBE9FF85324F148059FD159F291C774ED81CBE0

Function 0097CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0097CF22,?), ref: 0097DDFD

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0097CF22,?), ref: 0097DE16

lstrcmpiW.KERNEL32(?,?), ref: 0097CF45
MoveFileW.KERNEL32(?,?), ref: 0097CF7F
_wcslen.LIBCMT ref: 0097D005
_wcslen.LIBCMT ref: 0097D01B
SHFileOperationW.SHELL32(?), ref: 0097D061

Strings

\*.*, xrefs: 0097CFF3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 674e8df6b37d68e24a4b520bd161023596dde4513088d033a0ead9b2611570a3
Instruction ID: 58578017daa7e161e4ed53555aa4c8e8ba0142df406eab772afc0ab113cf0aaf
Opcode Fuzzy Hash: 674e8df6b37d68e24a4b520bd161023596dde4513088d033a0ead9b2611570a3
Instruction Fuzzy Hash: 6A4149B29451185FDF12EFA4C982BDD77BDAF49780F1040E6E509EB141EB34A644CF50

Function 009A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 009A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 009A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 009A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A2F0B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 62aa15bdd2604c23c7838d65afc284b99904687ec145b010c134201b87c462ef
Instruction ID: 208b3ab30890ba55b8a6ef91319b0b9342b5f3c3c578493c4543a6fb2e1927d6
Opcode Fuzzy Hash: 62aa15bdd2604c23c7838d65afc284b99904687ec145b010c134201b87c462ef
Instruction Fuzzy Hash: B331E331659291AFDB25CF5CEC84F6537E9EB9A710F250164F9058F2B2CB71AC80EB81

Function 00977726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00977769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0097778F
SysAllocString.OLEAUT32(00000000), ref: 00977792
SysAllocString.OLEAUT32(?), ref: 009777B0
SysFreeString.OLEAUT32(?), ref: 009777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009777DE
SysAllocString.OLEAUT32(?), ref: 009777EC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ddc677938f37de4e2484255aac32fed06f1cc4b298c505384faf69ea7e54517f
Instruction ID: 40f3acd11426f098ab8bb0443234117b2f5e7a0ef16c58fa2ee647d404f52e92
Opcode Fuzzy Hash: ddc677938f37de4e2484255aac32fed06f1cc4b298c505384faf69ea7e54517f
Instruction Fuzzy Hash: 8421B076608219AFDB14DFA8DC88DBBB7ECEF09764B008425FA08DB160D674DC4187A4

Function 009777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00977842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00977868
SysAllocString.OLEAUT32(00000000), ref: 0097786B
SysAllocString.OLEAUT32 ref: 0097788C
SysFreeString.OLEAUT32 ref: 00977895
StringFromGUID2.OLE32(?,?,00000028), ref: 009778AF
SysAllocString.OLEAUT32(?), ref: 009778BD

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1f966276ad5efa45dd5302f39351928e6b381722bb56f0635c1025322d88fba3
Instruction ID: c49a84a21d2d037db73d3b6bb1a1ef36889c1eee258313a28131248e10969038
Opcode Fuzzy Hash: 1f966276ad5efa45dd5302f39351928e6b381722bb56f0635c1025322d88fba3
Instruction Fuzzy Hash: EA216072608214AFDB109FE8DC88DBAB7ECEF097607108125F919CB2A5DA74DC41DBA5

Function 009804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0098052E

Strings

nul, xrefs: 00980567

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9b5fab54d014829a682aeb5ee06d5009da730987df3c70ee62435e860667241f
Instruction ID: 2e2b3d856db909d6eefd2e72afc4e76dd694ab3f5eab28c99f10cd12cb8e1cd4
Opcode Fuzzy Hash: 9b5fab54d014829a682aeb5ee06d5009da730987df3c70ee62435e860667241f
Instruction Fuzzy Hash: B4215E75600305AFDB60AF2AD844A9A77A8BF85724F204A19F8A1D63E0E770D948DF60

Function 009805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00980601

Strings

nul, xrefs: 00980639

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 32806e975f86c4098c70156591a5ad0c5256c1d0da35f00c83fee1484d1adc63
Instruction ID: e665107a7ee72d55b60a2ff75ad2da23d4033aba43028115b100b2b4c61dee60
Opcode Fuzzy Hash: 32806e975f86c4098c70156591a5ad0c5256c1d0da35f00c83fee1484d1adc63
Instruction Fuzzy Hash: 6E217F755003059FDB60AF698C04A9A77E8AFD5720F204B19F8B1E73E0E7709864CB60

Function 009A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0091600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0091604C
Part of subcall function 0091600E: GetStockObject.GDI32(00000011), ref: 00916060
Part of subcall function 0091600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0091606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009A4145

Strings

Msctls_Progress32, xrefs: 009A40E3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: cab27ae480654298484a219993bb2bf78ba9f7be482b41bd7ac1d6325f6b174d
Instruction ID: 87d1bc3f93feb517233b2d7af89a4cf1cd6f41b48cfee6eb1d3fde81a277fd68
Opcode Fuzzy Hash: cab27ae480654298484a219993bb2bf78ba9f7be482b41bd7ac1d6325f6b174d
Instruction Fuzzy Hash: 5011B2B215021DBEEF118F64CC85EE77F9DEF59798F004111BA18A6150CAB29C61DBE4

Function 0094D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0094D7A3: _free.LIBCMT ref: 0094D7CC

_free.LIBCMT ref: 0094D82D

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094D838
_free.LIBCMT ref: 0094D843
_free.LIBCMT ref: 0094D897
_free.LIBCMT ref: 0094D8A2
_free.LIBCMT ref: 0094D8AD
_free.LIBCMT ref: 0094D8B8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: bd831c05411fbe07da1a4398f29f5243cd5cf0d6f44b09403d627c06e734bd00
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 9E115EB1542B04ABFA21BFB1CC47FCB7BDCBF80700F800925B299A6292DA75B5058660

Function 0097DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0097DA74
LoadStringW.USER32(00000000), ref: 0097DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0097DA91
LoadStringW.USER32(00000000), ref: 0097DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0097DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0097DAB9

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 2a7120dfe8aed95592161b70b9ec0d2fedf627c48bf92be9d372615dd93de8db
Instruction ID: cabb419aba393d1526b1faacaf6c86449b0cf6f7574e956f53e44c54ee2a16bb
Opcode Fuzzy Hash: 2a7120dfe8aed95592161b70b9ec0d2fedf627c48bf92be9d372615dd93de8db
Instruction Fuzzy Hash: CF0162F25442087FE710DBA09D89EEB336CEF09701F404896B74AE6041EA749E844FB4

Function 0098096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0159EEB0,0159EEB0), ref: 0098097B
EnterCriticalSection.KERNEL32(0159EE90,00000000), ref: 0098098D
TerminateThread.KERNEL32(?,000001F6), ref: 0098099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009809A9
CloseHandle.KERNEL32(?), ref: 009809B8
InterlockedExchange.KERNEL32(0159EEB0,000001F6), ref: 009809C8
LeaveCriticalSection.KERNEL32(0159EE90), ref: 009809CF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2a5fa7ceb9816b78e645239bb6a366ff54420efb14f65b09707d1d90549742f8
Instruction ID: 0c32497169f4dc637d8c51d9d58582b29e79fa51821a67f0ccdccf6f0b2ec177
Opcode Fuzzy Hash: 2a5fa7ceb9816b78e645239bb6a366ff54420efb14f65b09707d1d90549742f8
Instruction Fuzzy Hash: 9CF03C7255AA02BBD7415FA4EE8CBD6BB39FF42702F402025F602988A0CB759465DFD0

Function 00991C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00991DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00991DE1
WSAGetLastError.WSOCK32 ref: 00991DF2
htons.WSOCK32(?,?,?,?,?), ref: 00991EDB
inet_ntoa.WSOCK32(?), ref: 00991E8C

Part of subcall function 009739E8: _strlen.LIBCMT ref: 009739F2

Part of subcall function 00993224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0098EC0C), ref: 00993240

_strlen.LIBCMT ref: 00991F35

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 84c2d0909ec5130105112f5deaff9251f6b1fe30138e8435568af727da59a4cd
Instruction ID: 57edceb241e003af74ae42197be9bce11e17356d9fbf2f4f7cb9a431a4f408de
Opcode Fuzzy Hash: 84c2d0909ec5130105112f5deaff9251f6b1fe30138e8435568af727da59a4cd
Instruction Fuzzy Hash: 52B1BD71204305AFC724DF28C895F6A7BA9BFC5318F54894CF4565B2A2DB31ED82CB91

Function 00915D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00915D30
GetWindowRect.USER32(?,?), ref: 00915D71
ScreenToClient.USER32(?,?), ref: 00915D99
GetClientRect.USER32(?,?), ref: 00915ED7
GetWindowRect.USER32(?,?), ref: 00915EF8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1b82563b3cea3dd333ae1720d9c8d17161ebf1fdd3982957e4c5843e2069b5ed
Instruction ID: 6c49a7bddd3129f96b9ca7de7d35003138964c999458381b9e11266a4c9c01e0
Opcode Fuzzy Hash: 1b82563b3cea3dd333ae1720d9c8d17161ebf1fdd3982957e4c5843e2069b5ed
Instruction Fuzzy Hash: BEB17A74A0074AEBDB14CFA9C4807EEB7F5FF48314F15881AE8A9D7250DB34AA91DB50

Function 009401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009400D6
__allrem.LIBCMT ref: 009400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0094010B
__allrem.LIBCMT ref: 00940122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00940140

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2ea07e42b9bfcc51d8b6547d9245a2a87040737e34e4b20f6ce52ab2b5e436b2
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C681E472A007069BE724AE29CC51F6B73E9EFD5324F24463AFA51D7681E774D9008B50

Function 009461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009382D9,009382D9,?,?,?,0094644F,00000001,00000001,8BE85006), ref: 00946258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0094644F,00000001,00000001,8BE85006,?,?,?), ref: 009462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009463D8
__freea.LIBCMT ref: 009463E5

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

__freea.LIBCMT ref: 009463EE
__freea.LIBCMT ref: 00946413

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9747b776cb594388cb3124ba74767529c4461a0a6aa73ddfbcb7576312503787
Instruction ID: be1e4d771d0dd977a77c4781bffa90e97a005e4296e45d7e0a3fdc9106b515c1
Opcode Fuzzy Hash: 9747b776cb594388cb3124ba74767529c4461a0a6aa73ddfbcb7576312503787
Instruction Fuzzy Hash: A251E1B2A00256ABEF258F64CC81FBF7BA9EF86750F144669FC05D6190EB34DC40C6A1

Function 0099BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 0099C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099C9F1
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA68
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0099BD25
RegCloseKey.ADVAPI32(00000000), ref: 0099BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0099BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0099BDF3
RegCloseKey.ADVAPI32(?), ref: 0099BDFF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8ec0408bf277774fdf3af9d6dad8a2fc8f9813ce270db008e7b7ea594262555d
Instruction ID: 6a044cf31d4608a7e93b53ecb576de67574380c8ec00707eb8f98120e8afbb00
Opcode Fuzzy Hash: 8ec0408bf277774fdf3af9d6dad8a2fc8f9813ce270db008e7b7ea594262555d
Instruction Fuzzy Hash: 0B81C470208241EFCB14DF18C995E6AB7E9FF85308F14895CF4994B2A2DB35ED45CB92

Function 0096F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0096F7B9
SysAllocString.OLEAUT32(00000001), ref: 0096F860
VariantCopy.OLEAUT32(0096FA64,00000000), ref: 0096F889
VariantClear.OLEAUT32(0096FA64), ref: 0096F8AD
VariantCopy.OLEAUT32(0096FA64,00000000), ref: 0096F8B1
VariantClear.OLEAUT32(?), ref: 0096F8BB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 90bef417d8771f239b964fa9b94998a4d34280d327ccf7f34ff8d23c6d114a3b
Instruction ID: ebd424d5c16c8f372f512814561eafe77d5a9171c31087f5774fdc42ebed05eb
Opcode Fuzzy Hash: 90bef417d8771f239b964fa9b94998a4d34280d327ccf7f34ff8d23c6d114a3b
Instruction Fuzzy Hash: BD510735610310BACF24AF65E8B5B29B3E9EF85310F208867F906DF295DB748C40CB96

Function 0098910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009894E5
_wcslen.LIBCMT ref: 00989506
_wcslen.LIBCMT ref: 0098952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00989585

Strings

X, xrefs: 00989412

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b5cf378da40b1732a54a3636e655414916e295ed7e22174d4596eca3978e3e93
Instruction ID: 02f96179de5d992eebc54d26b7522f4f6ce51817120e586cb9e808e8240246a5
Opcode Fuzzy Hash: b5cf378da40b1732a54a3636e655414916e295ed7e22174d4596eca3978e3e93
Instruction Fuzzy Hash: AEE16F316083119FC724EF24C891BAAB7E5BF85314F08896DF8999B3A2DB31DD45CB91

Function 0092920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

BeginPaint.USER32(?,?,?), ref: 00929241
GetWindowRect.USER32(?,?), ref: 009292A5
ScreenToClient.USER32(?,?), ref: 009292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009292D3
EndPaint.USER32(?,?,?,?,?), ref: 00929321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009671EA

Part of subcall function 00929339: BeginPath.GDI32(00000000), ref: 00929357

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8777a1e25a47d5a64277af1274ab6604563b8f221a66a1eb9e170b75198fda05
Instruction ID: 59d1ec0368230f9f901631c20d167f00935e5c73a37cbed68129d7ab9cf450d3
Opcode Fuzzy Hash: 8777a1e25a47d5a64277af1274ab6604563b8f221a66a1eb9e170b75198fda05
Instruction Fuzzy Hash: 3D41A170108211AFD711DF64ECC4FBA7BA8EF46724F040629F9648B2A6C7349845EB61

Function 009807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0098080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00980847
EnterCriticalSection.KERNEL32(?), ref: 00980863
LeaveCriticalSection.KERNEL32(?), ref: 009808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00980921

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3c6b541724363d2acfb964cd56ab0c956d65aa9eb800e1042f8b8ea794ce2e08
Instruction ID: f3f349c829a3dea3e053705ac9caa38cdf05057b05288ec2f8408ab1e70b4651
Opcode Fuzzy Hash: 3c6b541724363d2acfb964cd56ab0c956d65aa9eb800e1042f8b8ea794ce2e08
Instruction Fuzzy Hash: 82416B71A00205EBDF15AF54DC85AAAB778FF84310F1440B9ED04AE29BDB31DE64DBA0

Function 009A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0096F3AB,00000000,?,?,00000000,?,0096682C,00000004,00000000,00000000), ref: 009A824C
EnableWindow.USER32(?,00000000), ref: 009A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009A82D1
ShowWindow.USER32(?,00000004), ref: 009A82E5
EnableWindow.USER32(?,00000001), ref: 009A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009A832F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1268ad8332264b36341b9ee6783b1bc886fe4e3e057fa245a24710f344605636
Instruction ID: b5925d64c5f4d1aad76a972a1eaee7b1d4e97667913c821c928ff76f06fdf69f
Opcode Fuzzy Hash: 1268ad8332264b36341b9ee6783b1bc886fe4e3e057fa245a24710f344605636
Instruction Fuzzy Hash: 9241AF30605644EFDF25CF24D899BA57BE4BB0B754F1842A9EA584F2A3CB31AC41DB90

Function 00974C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00974C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00974CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00974CEA
_wcslen.LIBCMT ref: 00974D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00974D10
_wcsstr.LIBVCRUNTIME ref: 00974D1A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 77323ea4d058fcac07f793939e7493d007df0d616dac0d4dd1da6fd61b2060fc
Instruction ID: d874db1902aed5f6991c9fa141171f04b3a8141b482c6aa0bb54d6ecee8f6b14
Opcode Fuzzy Hash: 77323ea4d058fcac07f793939e7493d007df0d616dac0d4dd1da6fd61b2060fc
Instruction Fuzzy Hash: 9721FC73204111BBEB269B39AC49F7B7BACDF46750F148079F849DE192EF65DC0096A0

Function 0098581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00913AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00913A97,?,?,00912E7F,?,?,?,00000000), ref: 00913AC2

_wcslen.LIBCMT ref: 0098587B
CoInitialize.OLE32(00000000), ref: 00985995
CoCreateInstance.OLE32(009AFCF8,00000000,00000001,009AFB68,?), ref: 009859AE
CoUninitialize.OLE32 ref: 009859CC

Strings

.lnk, xrefs: 00985876, 009858C1, 00985985

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4cb347ca410d6879648268510011338e8ebd5a66262ad49fa5f5d4bae1f2d83d
Instruction ID: f39f87a76aa7df07ea41437f987bd5d4e882c655352efbbc04e11aa67a51d857
Opcode Fuzzy Hash: 4cb347ca410d6879648268510011338e8ebd5a66262ad49fa5f5d4bae1f2d83d
Instruction Fuzzy Hash: 2AD154716086059FC714EF24C480A6ABBF6EF89714F15885DF88A9B361D732EC49CB92

Function 0097175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00970FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00970FCA
Part of subcall function 00970FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00970FD6
Part of subcall function 00970FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00970FE5
Part of subcall function 00970FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00970FEC
Part of subcall function 00970FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00971002

GetLengthSid.ADVAPI32(?,00000000,00971335), ref: 009717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009717BA
HeapAlloc.KERNEL32(00000000), ref: 009717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009717DA
GetProcessHeap.KERNEL32(00000000,00000000,00971335), ref: 009717EE
HeapFree.KERNEL32(00000000), ref: 009717F5

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9ac882375a3baae99f642051c870642f6fbed11b9901d20e674958d5089b23d2
Instruction ID: 3a2ec15e71be9092c90dab334184db196d808102cf8e79b665667a58f0a39a07
Opcode Fuzzy Hash: 9ac882375a3baae99f642051c870642f6fbed11b9901d20e674958d5089b23d2
Instruction Fuzzy Hash: 8B11BE72614205FFDB189FA8CC49BAE7BADEF42755F108018F4499B210D735A944DBA0

Function 009714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00971506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00971515
CloseHandle.KERNEL32(00000004), ref: 00971520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0097154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00971563

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7edff3536ac9efb0834dce7ed3a82e95032d9fe13b9c3a31d61b7743afdc12b8
Instruction ID: bb4ef3683f048982e975917e311874799bc53be90a8dfd1e1ddcb58ea8e00c5a
Opcode Fuzzy Hash: 7edff3536ac9efb0834dce7ed3a82e95032d9fe13b9c3a31d61b7743afdc12b8
Instruction Fuzzy Hash: 1A1129B2604209ABDF118F98DD49BDE7BADEF49744F048015FA09A6160C3758E64EBA0

Function 00933382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00933379,00932FE5), ref: 00933390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0093339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009333B7
SetLastError.KERNEL32(00000000,?,00933379,00932FE5), ref: 00933409

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8c6a516d39dc7490f42dc70a5a87ab52903fd5b0fe9b48ef5f46f07494326b4e
Instruction ID: c9a64bcb46e9fdb58ec9441bf77888a485dbe9c68dab9055f7a2defd28a52644
Opcode Fuzzy Hash: 8c6a516d39dc7490f42dc70a5a87ab52903fd5b0fe9b48ef5f46f07494326b4e
Instruction Fuzzy Hash: 7F0147732DE712BEAE242775BC87B276B98EB45379F20C22AF410852F0EF114D01AD84

Function 00942D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00945686,00953CD6,?,00000000,?,00945B6A,?,?,?,?,?,0093E6D1,?,009D8A48), ref: 00942D78
_free.LIBCMT ref: 00942DAB
_free.LIBCMT ref: 00942DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0093E6D1,?,009D8A48,00000010,00914F4A,?,?,00000000,00953CD6), ref: 00942DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0093E6D1,?,009D8A48,00000010,00914F4A,?,?,00000000,00953CD6), ref: 00942DEC
_abort.LIBCMT ref: 00942DF2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f455c6a067f404da483ff78d6c6f8f8c217f228704427e464a1b728456cdaee6
Instruction ID: 83176f76c7baf9fb885a11cab4dc1dfa8153e8338d2ffd730a5a764685f1a0aa
Opcode Fuzzy Hash: f455c6a067f404da483ff78d6c6f8f8c217f228704427e464a1b728456cdaee6
Instruction Fuzzy Hash: DFF02831949A0127C6122735BC0AF1E265DBFC27A1F654519F824961D2EE7488415160

Function 009A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00929639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00929693
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296A2
Part of subcall function 00929639: BeginPath.GDI32(?), ref: 009296B9
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 009A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009A8A70
LineTo.GDI32(?,00000000,00000003), ref: 009A8A80
EndPath.GDI32(?), ref: 009A8A90
StrokePath.GDI32(?), ref: 009A8AA0

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b936c11f0d8f13c50c4d24ef598a7a7b82552a333f0168e0900053321a92425a
Instruction ID: 48c2beec1448c86a0a23021fcce7dcd6663402f662fa59208095865b2b65c559
Opcode Fuzzy Hash: b936c11f0d8f13c50c4d24ef598a7a7b82552a333f0168e0900053321a92425a
Instruction Fuzzy Hash: C11109B600415CFFDF129F90EC88EAA7F6CEF09394F008012FA199A1A1C7719D55EBA0

Function 009751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00975218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00975229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00975230
ReleaseDC.USER32(00000000,00000000), ref: 00975238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0097524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00975261

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 59ccdc03128566a3b3c56142c31efeabc7066b60c2c4497764af922dcf756f0b
Instruction ID: cad39055869fead7d56f6a35ac77357d957c82b9efd5e68ca69a45105ec69bb0
Opcode Fuzzy Hash: 59ccdc03128566a3b3c56142c31efeabc7066b60c2c4497764af922dcf756f0b
Instruction Fuzzy Hash: C5014FB5A04719BBEB109BA59C49A5EBFB8EF49751F044065FA04AB281D6709C00DBA0

Function 00911BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00911BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00911BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00911C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00911C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00911C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00911C22

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2591a0d1e8e16a98225962ed68e8517c58f906c8f0510845c32b993d19a3b4da
Instruction ID: c3c005d6f9445ea533815a8a74c10dc5ff0d066d2bbbcf0c1657a2283c2f3eea
Opcode Fuzzy Hash: 2591a0d1e8e16a98225962ed68e8517c58f906c8f0510845c32b993d19a3b4da
Instruction Fuzzy Hash: DA0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0097EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0097EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0097EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0097EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0097EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0097EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0097EB75

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 87d259a64d2f9a0b3580d1063b223801fb794bee06b81ee237b64980daf743f4
Instruction ID: 7abaad561e7cb69fe8b863b3228c8089ac58ba6056b1a3fdd6adb9ef142d3d0c
Opcode Fuzzy Hash: 87d259a64d2f9a0b3580d1063b223801fb794bee06b81ee237b64980daf743f4
Instruction Fuzzy Hash: F3F054B2254159BBE7215B529C0DEEF3E7CEFCBB11F004159F601D5091DBA05A01D6F5

Function 00967439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00967452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00967469
GetWindowDC.USER32(?), ref: 00967475
GetPixel.GDI32(00000000,?,?), ref: 00967484
ReleaseDC.USER32(?,00000000), ref: 00967496
GetSysColor.USER32(00000005), ref: 009674B0

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 42ee6c807023b80ddcfe42550179014bead8bcbf2f6d607ff3615b2c75028cf0
Instruction ID: d9c5c701baca27faa6d5e9c62c26aed71922308a5e051a3fa6d9d03d1898e311
Opcode Fuzzy Hash: 42ee6c807023b80ddcfe42550179014bead8bcbf2f6d607ff3615b2c75028cf0
Instruction Fuzzy Hash: 65018B71418216FFDB109FA4DD08BAABBB6FF05311F110060F916A61B0CF311E41AB90

Function 00971874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0097187F
UnloadUserProfile.USERENV(?,?), ref: 0097188B
CloseHandle.KERNEL32(?), ref: 00971894
CloseHandle.KERNEL32(?), ref: 0097189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009718A5
HeapFree.KERNEL32(00000000), ref: 009718AC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cce0622c135e035d9132796744e9ad37369ee69c252bd167aa523a82cab76b9c
Instruction ID: e963aa53e28aed32b002e33aaed14dc2b0a64a21f6e0b18c6860e3808e6d56a2
Opcode Fuzzy Hash: cce0622c135e035d9132796744e9ad37369ee69c252bd167aa523a82cab76b9c
Instruction Fuzzy Hash: 35E0E5B621C101BBDB015FA1ED0C90ABF79FF4AB22B108220F22589070CF329421EF90

Function 0097C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0097C6EE
_wcslen.LIBCMT ref: 0097C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0097C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0097C7CA

Strings

0, xrefs: 0097C6AF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 936cd308ff862d49fb427c5f47fd09d865894de61b89665999633b81277bfa1f
Instruction ID: d9481ad948780321339ac25f57e2ebb2ffd87e9ba2656c5dd138245fbf211f81
Opcode Fuzzy Hash: 936cd308ff862d49fb427c5f47fd09d865894de61b89665999633b81277bfa1f
Instruction Fuzzy Hash: F35104B26083019BD719DF28D885BAB77E8AF89310F048A2DF999E71D0DB74DD44CB52

Function 0099AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0099AEA3

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

GetProcessId.KERNEL32(00000000), ref: 0099AF38
CloseHandle.KERNEL32(00000000), ref: 0099AF67

Strings

<, xrefs: 0099AE6B
@, xrefs: 0099AE72

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a5a3d81b1b2d31326a57a7d5c92399747ac9a0218979601139e8b643bd1fcb45
Instruction ID: 4d82ed8ee78434df01fa7c7d31277c8aefeaf0c3e07c273659ebb8c6f280734d
Opcode Fuzzy Hash: a5a3d81b1b2d31326a57a7d5c92399747ac9a0218979601139e8b643bd1fcb45
Instruction Fuzzy Hash: 55713470A00219DFCF14DF98C484A9EBBF5EF48314F048499E816AB3A2CB75ED85CB91

Function 0097719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00977206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0097723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0097724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009772CF

Strings

DllGetClassObject, xrefs: 00977242

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5663939ccf5b1e5634c217bd1cf1592d5e29450cf04bb8b1b66a68cb1d8e0274
Instruction ID: a22ca32685ee2616eb9d5e8ceab43e213bddbe1fa92e83bce18c7d01ba8997cc
Opcode Fuzzy Hash: 5663939ccf5b1e5634c217bd1cf1592d5e29450cf04bb8b1b66a68cb1d8e0274
Instruction Fuzzy Hash: 204182B2604204EFDB15CF94C884B9ABBB9EF45314F14C0A9BD19DF20AD7B4D944DBA0

Function 009A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009A3E35
IsMenu.USER32(?), ref: 009A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009A3E92
DrawMenuBar.USER32 ref: 009A3EA5

Strings

0, xrefs: 009A3D89

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c6bedd2ef255598684ed5c025b1282c41fa23c363f3693f0b4703b7ea0581572
Instruction ID: ef015e1d6c2ea2dd5e69982c50d7a61be9d7027749ab9da7fd373658611f3b6a
Opcode Fuzzy Hash: c6bedd2ef255598684ed5c025b1282c41fa23c363f3693f0b4703b7ea0581572
Instruction Fuzzy Hash: CA416975A15209EFDB10DF60D884EEABBB9FF4A354F14802AF905AB250D730AE40DF90

Function 00971DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00971E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00971E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00971EA9

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Strings

ComboBox, xrefs: 00971DF0
ListBox, xrefs: 00971E25

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 87f65c370cb03b6e9767a7e8c2dd6b7316fbd88ed8b8fc79e74333928ba4fa7f
Instruction ID: 80270ad18672248a041ab3f497904022301ef08ebf5c8a0010a37a24d0b36092
Opcode Fuzzy Hash: 87f65c370cb03b6e9767a7e8c2dd6b7316fbd88ed8b8fc79e74333928ba4fa7f
Instruction Fuzzy Hash: E5216B72A00108BFDB149B68DC56DFFB7BCEF82350B14C519F859A71E0DB384D459660

Function 009A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009A2F8D
LoadLibraryW.KERNEL32(?), ref: 009A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009A2FA9
DestroyWindow.USER32(?), ref: 009A2FB1

Strings

SysAnimate32, xrefs: 009A2F68

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0c1931d3da9fc5851fbb4d10c768e9ca675f0dd6495eb646c4333860bb721433
Instruction ID: a71fee44b8168ff61748d0ddb0e0b1959887918f4b8611e58acf79b8cf475607
Opcode Fuzzy Hash: 0c1931d3da9fc5851fbb4d10c768e9ca675f0dd6495eb646c4333860bb721433
Instruction Fuzzy Hash: 99219D71214209AFEB108FA8DC84FBB77BDEF9A368F104619F950D61A0D771DC91A7A0

Function 00934D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00934D1E,009428E9,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002), ref: 00934D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00934DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00934D1E,009428E9,?,00934CBE,009428E9,009D88B8,0000000C,00934E15,009428E9,00000002,00000000), ref: 00934DC3

Strings

mscoree.dll, xrefs: 00934D86
CorExitProcess, xrefs: 00934D98

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 909bc7142c7c4ec93d33f4947f3f564271640234ca5b7394dfa466dc8c9d52de
Instruction ID: f74347420b9c136937118684ef9e1dcea2e41140f40dffd354489e5fedd28144
Opcode Fuzzy Hash: 909bc7142c7c4ec93d33f4947f3f564271640234ca5b7394dfa466dc8c9d52de
Instruction Fuzzy Hash: 79F03C74A54208ABDB119B94DC49BAEBFE9EF85751F0101A4E906A62A0CF70AD40DED0

Function 00914E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00914EAE
FreeLibrary.KERNEL32(00000000,?,?,00914EDD,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914EC0

Strings

kernel32.dll, xrefs: 00914E94
Wow64DisableWow64FsRedirection, xrefs: 00914EA8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 4bed8f5b140ba531335048a75c3a557d8fee804d429e6b8120eee8d728c3cd77
Instruction ID: b2d3a48802cc1b2fd15850bd4248c305c6368269d6fe3ce489a7fde660700c2c
Opcode Fuzzy Hash: 4bed8f5b140ba531335048a75c3a557d8fee804d429e6b8120eee8d728c3cd77
Instruction Fuzzy Hash: C3E0C276B5A6225BD3321B25BC18BAF769CAFC7F67B050115FC08E6200DB60CD4294F1

Function 00914E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00914E74
FreeLibrary.KERNEL32(00000000,?,?,00953CDE,?,009E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00914E87

Strings

kernel32.dll, xrefs: 00914E5B
Wow64RevertWow64FsRedirection, xrefs: 00914E6E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 7dcd82f5fd8770924d77690fa520fc4e987e418683c4db586ca18064683f7828
Instruction ID: fb24306888bcc39117c2945d44603195057098702ae19470e3a674063649d1eb
Opcode Fuzzy Hash: 7dcd82f5fd8770924d77690fa520fc4e987e418683c4db586ca18064683f7828
Instruction Fuzzy Hash: 1BD0C23571A6225746221B247C08DCB3A1CAF8AB153054211F804AA110CF21CD42D1E1

Function 00982947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00982C05
DeleteFileW.KERNEL32(?), ref: 00982C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00982C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00982CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00982CC0

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1d8b688005f068c235df475c8964b5548e595efdfd1c3d0c7fcedecc9f26f87d
Instruction ID: c3c393616357b2aac6c987a86333d6af92ba7eab89aa54a5c303e4ff929a783f
Opcode Fuzzy Hash: 1d8b688005f068c235df475c8964b5548e595efdfd1c3d0c7fcedecc9f26f87d
Instruction Fuzzy Hash: 26B15D72A01119ABDF15EBA4CC85FEEB7BDEF89310F1040A6F509E6241EA359A448F61

Function 0099A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0099A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0099A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0099A468
CloseHandle.KERNEL32(?), ref: 0099A63D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: be1de593185d2924cdbea4ad8d26eb681f10d154a0f6c15eea9d3f5200ae295a
Instruction ID: f12a7d59099baff0e252d0158d05f27a72a9a684625648b7a44466a79dc9df62
Opcode Fuzzy Hash: be1de593185d2924cdbea4ad8d26eb681f10d154a0f6c15eea9d3f5200ae295a
Instruction Fuzzy Hash: 0CA15FB16043019FDB20DF28D886B2AB7E5EF84714F14885DF95A9B392DB70EC418B92

Function 0094BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009B3700), ref: 0094BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,009E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0094BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,009E1270,000000FF,?,0000003F,00000000,?), ref: 0094BC36
_free.LIBCMT ref: 0094BB7F

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094BD4B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 72e944b17c2c0f18d86b54a86f9219e0c0b392084eaa9bc49470887107cb5d7b
Instruction ID: ff6a34221f2e28494a6f2268214fae77a8c9762d3453aba22d9fc1fa49696d34
Opcode Fuzzy Hash: 72e944b17c2c0f18d86b54a86f9219e0c0b392084eaa9bc49470887107cb5d7b
Instruction Fuzzy Hash: 7B51B671904209EFCB24EF699CC1EAEB7BCEF81310B10466AE564D7291EB30DE419B90

Function 0097E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0097CF22,?), ref: 0097DDFD

Part of subcall function 0097DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0097CF22,?), ref: 0097DE16

Part of subcall function 0097E199: GetFileAttributesW.KERNEL32(?,0097CF95), ref: 0097E19A

lstrcmpiW.KERNEL32(?,?), ref: 0097E473
MoveFileW.KERNEL32(?,?), ref: 0097E4AC
_wcslen.LIBCMT ref: 0097E5EB
_wcslen.LIBCMT ref: 0097E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0097E650

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 610ee779c565cde7a7276af002136767e08f7ef286a87aa3ecc91f405bfec16c
Instruction ID: afc2d11ac19edbe51d681ed20a5986e9a97141fc2542b5e888b62e5caa66e039
Opcode Fuzzy Hash: 610ee779c565cde7a7276af002136767e08f7ef286a87aa3ecc91f405bfec16c
Instruction Fuzzy Hash: 7F5162B35083455BC724DB94D891ADB73ECAFC9340F00895EF689D3191EF74A6888B66

Function 0099B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 0099C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0099B6AE,?,?), ref: 0099C9B5
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099C9F1
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA68
Part of subcall function 0099C998: _wcslen.LIBCMT ref: 0099CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0099BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0099BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0099BB63
RegCloseKey.ADVAPI32(?,?), ref: 0099BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0099BBB3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9fcc13826f4e768bd6c135e6defde404e1338e5c1ed36f59c5f68312c4091fbc
Instruction ID: b3419564fcf79cc815d5665c4e7dcebd9e4df584ee7e908f9067146efc178b10
Opcode Fuzzy Hash: 9fcc13826f4e768bd6c135e6defde404e1338e5c1ed36f59c5f68312c4091fbc
Instruction Fuzzy Hash: CB61D371208205AFCB14DF18C590F6ABBE9FF84308F54895CF4994B2A2CB35ED45CB92

Function 00978BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00978BCD
VariantClear.OLEAUT32 ref: 00978C3E
VariantClear.OLEAUT32 ref: 00978C9D
VariantClear.OLEAUT32(?), ref: 00978D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00978D3B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 45dcb858c5447254cdb6da98c64dec7c97d6e51bff095d15f98d59dbeb8b95cc
Instruction ID: 9ed7df162af00c8aca6797f3711af3e26ac6d0cfee5c6d6eb03482e557dbcb20
Opcode Fuzzy Hash: 45dcb858c5447254cdb6da98c64dec7c97d6e51bff095d15f98d59dbeb8b95cc
Instruction Fuzzy Hash: B25159B5A10219EFCB14CF68C894AAAB7F9FF8D310B158559E909DB350E734E911CF90

Function 00988AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00988BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00988BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00988C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00988C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00988C5F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6172e48fcd7473a537a0ed55ed71889f7cfdaa4a88bc1e3bc02c93bceeab2a18
Instruction ID: 7fc0d16b1df80ac0b9fea0938404c0e4d1311fc2b33a840b63f0276ab4598444
Opcode Fuzzy Hash: 6172e48fcd7473a537a0ed55ed71889f7cfdaa4a88bc1e3bc02c93bceeab2a18
Instruction Fuzzy Hash: 32513075A002199FCB15DF54C881AAEBBF5FF49314F048458E84AAB362DB35ED51CBA0

Function 00998EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00998F40
GetProcAddress.KERNEL32(00000000,?), ref: 00998FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00998FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00999032
FreeLibrary.KERNEL32(00000000), ref: 00999052

Part of subcall function 0092F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00981043,?,7529E610), ref: 0092F6E6
Part of subcall function 0092F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0096FA64,00000000,00000000,?,?,00981043,?,7529E610,?,0096FA64), ref: 0092F70D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: c8084332d1f1cbd7edcdb3a7217bd993d457e1ad4a02815907c96750145fe459
Instruction ID: eaa65d8277664858788e291c2178e30370a8192bf88dc415abec7e6360eae56f
Opcode Fuzzy Hash: c8084332d1f1cbd7edcdb3a7217bd993d457e1ad4a02815907c96750145fe459
Instruction Fuzzy Hash: 7C514B35605209DFCB11DF58C4949ADBBF5FF49314B0480A8E81A9B362DB31ED86CB90

Function 009A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 009A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0098AB79,00000000,00000000), ref: 009A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009A6CC7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c42f13f9bd6d59c5864bbd0c53eae6aef9c780cc082bb53d47cb86fca204da0f
Instruction ID: d36928b0ed702749d24980e6e149bf86dd1bc8dc34c8beeaf6c9c6a7adb31736
Opcode Fuzzy Hash: c42f13f9bd6d59c5864bbd0c53eae6aef9c780cc082bb53d47cb86fca204da0f
Instruction Fuzzy Hash: 7B41B575A08104AFD724DF28CC59FA57BB9EB0B360F190228FAD5AB2E1C771AD41D6D0

Function 00942051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009420C3
_free.LIBCMT ref: 009420E3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 090c8196deacf42dd5abf46e4b74fae5a38b0646fea51e3ba23f346f2973dc1c
Instruction ID: 2c5e6735314a32a884f4eea384e3161e4fbd26691248dcbf79422140ef13e8c3
Opcode Fuzzy Hash: 090c8196deacf42dd5abf46e4b74fae5a38b0646fea51e3ba23f346f2973dc1c
Instruction Fuzzy Hash: 6E41AC72A00200ABDB24DF68C881E5EB7F5FF89314F5645A9F615EB396DA31AD01CB80

Function 0092912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00929141
ScreenToClient.USER32(00000000,?), ref: 0092915E
GetAsyncKeyState.USER32(00000001), ref: 00929183
GetAsyncKeyState.USER32(00000002), ref: 0092919D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 870f8c796b305000750b0d2cb08bae0a4cedde76dcdfbd6f70947ca9a0178dbe
Instruction ID: 83065ea7b339f1b0a117c937039c0c85710861146e8e68cc7a7424556b5d3dea
Opcode Fuzzy Hash: 870f8c796b305000750b0d2cb08bae0a4cedde76dcdfbd6f70947ca9a0178dbe
Instruction Fuzzy Hash: 4E419F71A0C21ABBDF099FA8D844BEEF774FF06324F208216E429A72D1C7346950DB91

Function 00983874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00983922
TranslateMessage.USER32(?), ref: 0098394B
DispatchMessageW.USER32(?), ref: 00983955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00983966

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 96cb5f844c9194ab37b16351117f9cea70ce3c2c0789515160cae0f35227c84b
Instruction ID: 3b7cb8b28034df25109c14a92d7ee0a88e7641d3ec58126c38329019f9dd6d46
Opcode Fuzzy Hash: 96cb5f844c9194ab37b16351117f9cea70ce3c2c0789515160cae0f35227c84b
Instruction Fuzzy Hash: ED31EB7091C381DFEB39EB35D848BB637ACAB05700F04855DE46687290E7F69A85DB11

Function 0098CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0098C21E,00000000), ref: 0098CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0098CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0098C21E,00000000), ref: 0098CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0098C21E,00000000), ref: 0098CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0098C21E,00000000), ref: 0098CFF2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a81059b7952a9465afd38f338c007dbe60f0e86483d1a367e328041a0fa1da26
Instruction ID: ef43800655d2544315d725f137ed1908feb3796cd3ed7b00cb058d2bf3cd88df
Opcode Fuzzy Hash: a81059b7952a9465afd38f338c007dbe60f0e86483d1a367e328041a0fa1da26
Instruction Fuzzy Hash: F7314CB1504205AFEB20EFA5D884AABBBFDEF15355B10442EF616D6240DB34EE40DBA0

Function 00971901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00971915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009719E2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fff9a07cf8874cad7d97ac731b7718a58ffab7625d47643cb34974739f01a18e
Instruction ID: 1d03dcd3d060657e804212e097327863409ed303b44988d852a658561121dc12
Opcode Fuzzy Hash: fff9a07cf8874cad7d97ac731b7718a58ffab7625d47643cb34974739f01a18e
Instruction Fuzzy Hash: 7331C272A00219EFCB10CFACDD99ADE3BB5EF45315F108225FA25AB2D1C7709945DB90

Function 009A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 009A579D
_wcslen.LIBCMT ref: 009A57AF
_wcslen.LIBCMT ref: 009A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 009A5816

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d53f2517d0e2b1e43896beb61d3780241a7f7d1c1ba682390974ce2f5b50c50e
Instruction ID: 2a6169f472550a62007c7b9b18be9ddaa1039eca9bca7cbdf2d085d566753d84
Opcode Fuzzy Hash: d53f2517d0e2b1e43896beb61d3780241a7f7d1c1ba682390974ce2f5b50c50e
Instruction Fuzzy Hash: D321D271A04608DADB209FA1CC84AEE77BCFF46720F108216F929EA180D7748981CFD0

Function 0092990E Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009298CC
SetTextColor.GDI32(?,?), ref: 009298D6
SetBkMode.GDI32(?,00000001), ref: 009298E9
GetStockObject.GDI32(00000005), ref: 009298F1
GetWindowLongW.USER32(?,000000EB), ref: 00929952

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 8b100443ca40263cf09f6f4d54a57d285b3dac55a1bf3529cfcd29e27fae73ff
Instruction ID: 9fa6d898b00888adceb066faeb591662c9827de8c6f04a9e1d4e50fbe14a6e64
Opcode Fuzzy Hash: 8b100443ca40263cf09f6f4d54a57d285b3dac55a1bf3529cfcd29e27fae73ff
Instruction Fuzzy Hash: F621D6752492609FC7228F24FC65AEA3B65EF17334F08029DF5928F1E2C7364991DB90

Function 00990930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00990951
GetForegroundWindow.USER32 ref: 00990968
GetDC.USER32(00000000), ref: 009909A4
GetPixel.GDI32(00000000,?,00000003), ref: 009909B0
ReleaseDC.USER32(00000000,00000003), ref: 009909E8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8e10c36b4253f44ccd43c158da2e840bbc67d77a461231e6c4ec22ae08a09694
Instruction ID: c857cf00416c5fcb5e40e59984a6ab2beb500e55c41bf22f315396bb2bdacd9b
Opcode Fuzzy Hash: 8e10c36b4253f44ccd43c158da2e840bbc67d77a461231e6c4ec22ae08a09694
Instruction Fuzzy Hash: 24219675600204AFD704EF69C944AAEB7F9EF85740F048468F85AD7352DB30EC44DB90

Function 0094CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0094CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0094CDE9

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0094CE0F
_free.LIBCMT ref: 0094CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0094CE31

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 85d124db48ef7051cc9de5dba2a3c53f52f75ac4318dd4e61e96ec3ea46fef6f
Instruction ID: 33145ac8a2267fc12f6bc49d284783afd63b8a7b73d533fc09c0368cfce42ab2
Opcode Fuzzy Hash: 85d124db48ef7051cc9de5dba2a3c53f52f75ac4318dd4e61e96ec3ea46fef6f
Instruction Fuzzy Hash: 4B0184F26072157F276116B66C88D7B6A6DEEC7BA13150129F905DB201EF618D0291F0

Function 00929639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00929693
SelectObject.GDI32(?,00000000), ref: 009296A2
BeginPath.GDI32(?), ref: 009296B9
SelectObject.GDI32(?,00000000), ref: 009296E2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5ee1f162f711c4348ed5c190dc89eb21fe4005680399dfcd8ad44cca664bfa00
Instruction ID: c6761d85d715c86290cdb84646e8fcdaa22fdbb300f502c606d6f329c2ea280d
Opcode Fuzzy Hash: 5ee1f162f711c4348ed5c190dc89eb21fe4005680399dfcd8ad44cca664bfa00
Instruction Fuzzy Hash: D7219D7082A355EFDB119F64FC88BA97BA8BB41365F100216F810AA1B6D3749C91EF90

Function 00975711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00975726
_memcmp.LIBVCRUNTIME ref: 00975744
_memcmp.LIBVCRUNTIME ref: 00975757
_memcmp.LIBVCRUNTIME ref: 0097576F
_memcmp.LIBVCRUNTIME ref: 00975787

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a487e3e531c68c7b866d206e07f75ecf4c9ff301bd72fcb9a7255916ca0b97a9
Instruction ID: 252ac6549ed7b32e1cc738e0998119988a71febf53fcd47c219e5692f99e0e38
Opcode Fuzzy Hash: a487e3e531c68c7b866d206e07f75ecf4c9ff301bd72fcb9a7255916ca0b97a9
Instruction Fuzzy Hash: C601D8A3641609FBE24C55119D92FBB735D9FA23A8F018020FD0C9F241F7A1EE1086F0

Function 00942DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0093F2DE,00943863,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6), ref: 00942DFD
_free.LIBCMT ref: 00942E32
_free.LIBCMT ref: 00942E59
SetLastError.KERNEL32(00000000,00911129), ref: 00942E66
SetLastError.KERNEL32(00000000,00911129), ref: 00942E6F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 19fc04d94f42cfa23e2307bd604fbe0672d7e33c16ae7ee6b91b88e83b230033
Instruction ID: fc194bff5db9cb23032d5e9aa0c98c9f3db65efe6b133605a0fc317e55bfa99b
Opcode Fuzzy Hash: 19fc04d94f42cfa23e2307bd604fbe0672d7e33c16ae7ee6b91b88e83b230033
Instruction Fuzzy Hash: D701287224960177CA1367356C85E2F266DFFD23B5BF54429F425E22D2EF74CC019160

Function 0097000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?,?,0097035E), ref: 0097002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?), ref: 00970064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0096FF41,80070057,?,?), ref: 00970070

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f9792110127c2dc5edb76ed62964c1534a290d1fcec44ac6583395a1698044af
Instruction ID: 2b99f69145a0f7dc411fe5adf94c0bd218fe9a7d70f1bb19114782bf3a31f1a0
Opcode Fuzzy Hash: f9792110127c2dc5edb76ed62964c1534a290d1fcec44ac6583395a1698044af
Instruction Fuzzy Hash: E70162B7610214FFDB114F69DC44BAA7AEDEF847A1F148124F909D6210DB75DD40EBA0

Function 0097E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0097E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0097E9A5
Sleep.KERNEL32(00000000), ref: 0097E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0097E9B7
Sleep.KERNEL32 ref: 0097E9F3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: bcfeafe2b95c9cfc07c3fc5eba2692b7bff858abe9e09da23007d2f8169e3ce1
Instruction ID: 4c9a0d5711bfe30758fbaaab85bcf7b050f4e56e1624f3b00b7e494fe37b4160
Opcode Fuzzy Hash: bcfeafe2b95c9cfc07c3fc5eba2692b7bff858abe9e09da23007d2f8169e3ce1
Instruction Fuzzy Hash: 42015772D09A2DDBCF00ABE5D849AEDBB78BF0E301F004586EA06B2241CB349555DBA1

Function 009710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00971114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 0097112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00970B9B,?,?,?), ref: 00971136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0097114D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4e9473c038334d71f84cb9f6f3c2622a5881567699262e5b6cd39e90b0fb74d1
Instruction ID: bdbf023a22898e4a8b852a20cb13defc336a300074098b6570eb120512d5ad90
Opcode Fuzzy Hash: 4e9473c038334d71f84cb9f6f3c2622a5881567699262e5b6cd39e90b0fb74d1
Instruction Fuzzy Hash: 060131B5214205BFDB114F69DC49E6A3F7EEF86360B514415FA45DB350DB31DD009EA0

Function 00970FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00970FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00970FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00970FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00970FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00971002

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c99bf952b08ddced122d85444a6145ade520eb5a5aba5b53791231d374b30c0f
Instruction ID: 2194c107c427ce8e3c8f6da272ef52c47ef6ac2898241dc1db925c90e79907a5
Opcode Fuzzy Hash: c99bf952b08ddced122d85444a6145ade520eb5a5aba5b53791231d374b30c0f
Instruction Fuzzy Hash: E1F06DB6214311FBDB214FA8DC4DF563BADEF8A762F114414FA49CB261DE70DC509AA0

Function 00971014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0097102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00971036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0097104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971062

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c9802a3ea6401547491d484370dc37d2e7471caa323d3985bb583585f04ae443
Instruction ID: 8df335cd99ade723888152dff22bf6e9c641b68a0997f0905a4f06995c11e12e
Opcode Fuzzy Hash: c9802a3ea6401547491d484370dc37d2e7471caa323d3985bb583585f04ae443
Instruction Fuzzy Hash: C0F06DB6214311FBDB215FA8EC49F563BADEF8A761F114414FA49CB250DE70D8509AA0

Function 0098030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980324
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980331
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 0098033E
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 0098034B
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980358
CloseHandle.KERNEL32(?,?,?,?,0098017D,?,009832FC,?,00000001,00952592,?), ref: 00980365

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c8083eb4f856c61235a15ac6d44d490ff44f3565abb08bbdbe60412ee3445209
Instruction ID: fafcfaae1081968f3155fccd9a222bbcf4c067a8122a4b735ca610aeb9bdb408
Opcode Fuzzy Hash: c8083eb4f856c61235a15ac6d44d490ff44f3565abb08bbdbe60412ee3445209
Instruction Fuzzy Hash: C5017E72801B15DFCB30AF66D890816FBF9BFA03153158A3FD19652A31C7B1A959DF80

Function 0094D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0094D752

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 0094D764
_free.LIBCMT ref: 0094D776
_free.LIBCMT ref: 0094D788
_free.LIBCMT ref: 0094D79A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80557351398948a9a33e9417299974b54fd8b29ff6984bf88adb5154bf0c7242
Instruction ID: 428467f9de6b0f3e233ebf11a52ff7f6122631858d453620eea94e4b445b2c09
Opcode Fuzzy Hash: 80557351398948a9a33e9417299974b54fd8b29ff6984bf88adb5154bf0c7242
Instruction Fuzzy Hash: 72F036B6596205AB9625EB65FAD5D167BDDBB447107D40C06F048D7601C730FCC0D664

Function 00975C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00975C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00975C6F
MessageBeep.USER32(00000000), ref: 00975C87
KillTimer.USER32(?,0000040A), ref: 00975CA3
EndDialog.USER32(?,00000001), ref: 00975CBD

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 768008864d90b012e0788d4198efead707002a551c4ec773c5443cefb51a6cf9
Instruction ID: 8c2a9a196e165e75902f050522ae41acb52572bbf950dec1f0c4d0b343fcc209
Opcode Fuzzy Hash: 768008864d90b012e0788d4198efead707002a551c4ec773c5443cefb51a6cf9
Instruction Fuzzy Hash: 9D01F471504B04ABEB219B10DD4EFA677BCBF01B01F090559B1C7A50E0DBF4A984DBD0

Function 009422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009422BE

Part of subcall function 009429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000), ref: 009429DE
Part of subcall function 009429C8: GetLastError.KERNEL32(00000000,?,0094D7D1,00000000,00000000,00000000,00000000,?,0094D7F8,00000000,00000007,00000000,?,0094DBF5,00000000,00000000), ref: 009429F0

_free.LIBCMT ref: 009422D0
_free.LIBCMT ref: 009422E3
_free.LIBCMT ref: 009422F4
_free.LIBCMT ref: 00942305

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7f1e922eec0feee88059097a70e3a068deb67412cb1feaf124484787af939dea
Instruction ID: ca15b545211175c65f0ade8491ca1e9bbc6d7c502d90deedcc8fccab7dbc5ffb
Opcode Fuzzy Hash: 7f1e922eec0feee88059097a70e3a068deb67412cb1feaf124484787af939dea
Instruction Fuzzy Hash: 58F03AB08692A19BDA12AF55BD91D0C3FA8F75C761780090BF420DA3B1C7711CA2FBA4

Function 009295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009295D4
StrokeAndFillPath.GDI32(?,?,009671F7,00000000,?,?,?), ref: 009295F0
SelectObject.GDI32(?,00000000), ref: 00929603
DeleteObject.GDI32 ref: 00929616
StrokePath.GDI32(?), ref: 00929631

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 95f102af85f9c2a30fb4b90a6d5ddebf20226d1a3e25d10c980795c9362e9b46
Instruction ID: 93f5c8a895f319608a8ce0a7babfc3f1a6b68536c4821ea175e2b14d6363864e
Opcode Fuzzy Hash: 95f102af85f9c2a30fb4b90a6d5ddebf20226d1a3e25d10c980795c9362e9b46
Instruction Fuzzy Hash: 5CF03C7002D354EBDB125F65FD5CB643BA5AB02362F048214F4255D0F2CB348991EF60

Function 00940F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009410F9
__freea.LIBCMT ref: 00941117

Part of subcall function 00941537: _free.LIBCMT ref: 0094154F

Strings

am/pm, xrefs: 0094117A
a/p, xrefs: 009411DE

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4450cc1a5459429d39e03f52ccb9b88bb68d98ea71062864c514a6f5c4f1f5d3
Instruction ID: 09095ad4024af51c11115ccae1bf43056b384336f3baef438cec65ab89e53485
Opcode Fuzzy Hash: 4450cc1a5459429d39e03f52ccb9b88bb68d98ea71062864c514a6f5c4f1f5d3
Instruction Fuzzy Hash: 25D13531A14206CBCB289F68C895FFEBBB8FF45700F284559E911AB650E3799DC0CB91

Function 00997B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00930242: EnterCriticalSection.KERNEL32(009E070C,009E1884,?,?,0092198B,009E2518,?,?,?,009112F9,00000000), ref: 0093024D
Part of subcall function 00930242: LeaveCriticalSection.KERNEL32(009E070C,?,0092198B,009E2518,?,?,?,009112F9,00000000), ref: 0093028A

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 009300A3: __onexit.LIBCMT ref: 009300A9

__Init_thread_footer.LIBCMT ref: 00997BFB

Part of subcall function 009301F8: EnterCriticalSection.KERNEL32(009E070C,?,?,00928747,009E2514), ref: 00930202
Part of subcall function 009301F8: LeaveCriticalSection.KERNEL32(009E070C,?,00928747,009E2514), ref: 00930235

Strings

Variable must be of type 'Object'., xrefs: 00997C3A
G, xrefs: 00997C7F
5, xrefs: 00997C78

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 21d53d330b890cb6fe8fb79063000455aab65b3438eb98b0fbf08f411b6c36f7
Instruction ID: 3e3cc78616664a2fc550eaf0fe914e8bf05cb092ac0d6e3278687050c821a198
Opcode Fuzzy Hash: 21d53d330b890cb6fe8fb79063000455aab65b3438eb98b0fbf08f411b6c36f7
Instruction Fuzzy Hash: 83919A70A14209AFCF14EF98D891ABDB7B5BF89300F148459F8469B392DB71AE81CB51

Function 00972716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0097B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009721D0,?,?,00000034,00000800,?,00000034), ref: 0097B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00972760

Part of subcall function 0097B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0097B3F8

Part of subcall function 0097B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0097B355
Part of subcall function 0097B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00972194,00000034,?,?,00001004,00000000,00000000), ref: 0097B365
Part of subcall function 0097B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00972194,00000034,?,?,00001004,00000000,00000000), ref: 0097B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0097281A

Strings

@, xrefs: 00972832

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: bd7cffdd6fbf0c3298c08689a4dd92b8f1eb7cfc7388f6a32ede15f868057bd9
Instruction ID: 9a7e5c9bde4ef568ce24e4a810208122cafe865cc558f14509cd4186c0146b37
Opcode Fuzzy Hash: bd7cffdd6fbf0c3298c08689a4dd92b8f1eb7cfc7388f6a32ede15f868057bd9
Instruction Fuzzy Hash: 06413B72900218AFDB10DBA4CD41BEEBBB8AF49300F108095FA59B7191DB716E85DBA1

Function 0094172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00941769
_free.LIBCMT ref: 00941834
_free.LIBCMT ref: 0094183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00941760, 00941767, 00941796, 009417CE

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 8f8e31cb104ce3d0129be3a4e534ff5ca3764ed4e0b02b523bc63170f0e8e61a
Instruction ID: 1f14e65318ffc5c28a6e2fc8b7fc1db3e66f7eab7be40b37c142b6f6f6270716
Opcode Fuzzy Hash: 8f8e31cb104ce3d0129be3a4e534ff5ca3764ed4e0b02b523bc63170f0e8e61a
Instruction Fuzzy Hash: 14316D71A44258EFDB21DB99DC85E9EBBFCEB85310B144166F914DB311D6708E80DB90

Function 0097C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0097C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0097C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009E1990,015A7218), ref: 0097C395

Strings

0, xrefs: 0097C2DF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9786c054f25362ca1e077a652139f112218357e422925af71b07d69bbbb64415
Instruction ID: 96326d6816f1b3380bc161aea595d62a6c3aaac808a0eddfe8cb565f69819685
Opcode Fuzzy Hash: 9786c054f25362ca1e077a652139f112218357e422925af71b07d69bbbb64415
Instruction Fuzzy Hash: 644192B22083019FD724DF25D885B5ABBE8AFC5321F14CA1DF9A9972D1D770E904CB62

Function 009A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009ACC08,00000000,?,?,?,?), ref: 009A44AA
GetWindowLongW.USER32 ref: 009A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A44D7

Strings

SysTreeView32, xrefs: 009A447C

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 38d0981b1971d8997132948c8e49888547b916c552d303362140e14fa90479e7
Instruction ID: 20c64188543dbf2bd569e42e988cc3b540eb5fc21a8d7e18285a51513e4f8eb5
Opcode Fuzzy Hash: 38d0981b1971d8997132948c8e49888547b916c552d303362140e14fa90479e7
Instruction Fuzzy Hash: F431CD31214205AFDB208F38DC45BEA77E9EB8A334F204725F975921E0D7B0EC509B90

Function 0099304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0099335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00993077,?,?), ref: 00993378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0099307A
_wcslen.LIBCMT ref: 0099309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00993106

Strings

255.255.255.255, xrefs: 00993095, 0099309A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 1681d0a3761e94cb428fcdcfdc2f8ca8ac42e6f353681595f42b1bc786808a2f
Instruction ID: 21ac8ca11ba95eaf44bb421bd3df4b4e2289bd20e5c41e953796706119417406
Opcode Fuzzy Hash: 1681d0a3761e94cb428fcdcfdc2f8ca8ac42e6f353681595f42b1bc786808a2f
Instruction Fuzzy Hash: 3F31C1392042059FCF20CF6CC485EAA77E4EF55318F24C059E9158B3A2DB36EE85C760

Function 009A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 009A3F78

Strings

SysMonthCal32, xrefs: 009A3F0B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5c740af4c8334c73ed9ad69256e7c5b82863b186acf3b0e3da71b7f5e8b3f385
Instruction ID: e7ecc2f38bfbdfffcad8feb39bc8525640ba4be9e07804808d8ae21eb8835889
Opcode Fuzzy Hash: 5c740af4c8334c73ed9ad69256e7c5b82863b186acf3b0e3da71b7f5e8b3f385
Instruction Fuzzy Hash: F521BF32610219BFEF218F90CC46FEA3B79EF89714F114214FA156B1D0D6B1AC909BD0

Function 009A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009A471A

Strings

msctls_updown32, xrefs: 009A4684

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 35eec9d58cb730771ab32b4c785c362cbd69b137c756843990d9a06d2aa9320a
Instruction ID: 3b66a25db26dee8c074d8410fbdb97e7fd80d12799d78ae0683cac1a0c046184
Opcode Fuzzy Hash: 35eec9d58cb730771ab32b4c785c362cbd69b137c756843990d9a06d2aa9320a
Instruction Fuzzy Hash: D2215EB5605249AFDB10DF68DCC1DBB37ADEF8B398B040459FA009B261DB70EC51DAA0

Function 009795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0097961D

Strings

#OnAutoItStartRegister, xrefs: 009795F3
#requireadmin, xrefs: 009795D9
#notrayicon, xrefs: 009795B7

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c7273afcab724b1ce79873e9db02320c1b2d160722fb5c1ecb11df1d6b5a90c9
Instruction ID: 6b33c09cd93bf52c48baabbf709fd85f64df85fe218dc6cae91a93197ff6e7de
Opcode Fuzzy Hash: c7273afcab724b1ce79873e9db02320c1b2d160722fb5c1ecb11df1d6b5a90c9
Instruction Fuzzy Hash: B721577320422166C331BB259C16FBBB3ECEFD2314F108426F94D9B181EB55AD81C2E5

Function 009A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009A3876

Strings

Listbox, xrefs: 009A380F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8d839987150aa5af0deef745f70359576a436eae95898812933301e75bff5cdb
Instruction ID: 51543b03ba7c1787c338a56e6155cd5c2a437501bebbc55c003c9331a8e0ad5f
Opcode Fuzzy Hash: 8d839987150aa5af0deef745f70359576a436eae95898812933301e75bff5cdb
Instruction Fuzzy Hash: D1218E72614218BBEF218FA5CC85FAB376EEF8A754F108125F9049B190CA75DC528BE0

Function 009849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00984A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00984A5C
SetErrorMode.KERNEL32(00000000,?,?,009ACC08), ref: 00984AD0

Strings

%lu, xrefs: 00984A6F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4323c59915428f222d5cf961578823d09b4ca7420d61bc28a3b93cb065fb6150
Instruction ID: baf832318e0a4ecee6d4e7da304741bd02fcad559e22a3f686b42364a15736ee
Opcode Fuzzy Hash: 4323c59915428f222d5cf961578823d09b4ca7420d61bc28a3b93cb065fb6150
Instruction Fuzzy Hash: C1314C75A04109AFDB10DF54C885EAA7BF8EF49308F1480A5E909DF352DB71EE45CBA1

Function 009A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009A4271

Strings

msctls_trackbar32, xrefs: 009A4226

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 82f184cdc8be4d6838cca9536ba98b60497fd2b4de5a4a052264fd370156e69b
Instruction ID: ff592bad55e19dd8c81b916a097a1bf3a334703c553e64c724221af03a3a13c6
Opcode Fuzzy Hash: 82f184cdc8be4d6838cca9536ba98b60497fd2b4de5a4a052264fd370156e69b
Instruction Fuzzy Hash: FB112931240248BEEF205F79CC46FAB3BACEFD6B54F010524FA55E60A0D6B1DC519BA0

Function 00972F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00916B57: _wcslen.LIBCMT ref: 00916B6A

Part of subcall function 00972DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00972DC5
Part of subcall function 00972DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00972DD6
Part of subcall function 00972DA7: GetCurrentThreadId.KERNEL32 ref: 00972DDD
Part of subcall function 00972DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00972DE4

GetFocus.USER32 ref: 00972F78

Part of subcall function 00972DEE: GetParent.USER32(00000000), ref: 00972DF9

GetClassNameW.USER32(?,?,00000100), ref: 00972FC3
EnumChildWindows.USER32(?,0097303B), ref: 00972FEB

Strings

%s%d, xrefs: 00972FFF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 15918bb1f52f8673b098e48ca9dfe0e89ccfed3a8e4be794ad90b35e42fe72f0
Instruction ID: 9c0c70536ac39c250659a6497744021c4d15e0c055e3e54dc4434bf728c832f3
Opcode Fuzzy Hash: 15918bb1f52f8673b098e48ca9dfe0e89ccfed3a8e4be794ad90b35e42fe72f0
Instruction Fuzzy Hash: E811A2B27002096BCF14BF709C86FED376AAFC4314F04C075B90DAB292DE3099459B60

Function 009A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009A58EE
DrawMenuBar.USER32(?), ref: 009A58FD

Strings

0, xrefs: 009A588F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 61b587a4eedd188dd4e13102be4614c76ebe5b5b3ff3bb77dd92b3c36d80653a
Instruction ID: 8435389ab78e880b262d8d11d8f6a0911cf37a49a87606aa36bb859591014f25
Opcode Fuzzy Hash: 61b587a4eedd188dd4e13102be4614c76ebe5b5b3ff3bb77dd92b3c36d80653a
Instruction Fuzzy Hash: 5C019B71614218DFDB119F11DC44BAF7BB8FF86360F1180A9F849DA151DB308A84EF61

Function 0097007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421c24a445055f9b05ac9f14a7f51a51c438e076bc7aa715bbdf1b13da9b5b6c
Instruction ID: 927218489c629cdc3d3a354a641d6bd6809e825ba2804a79d8f0217f11edf5b4
Opcode Fuzzy Hash: 421c24a445055f9b05ac9f14a7f51a51c438e076bc7aa715bbdf1b13da9b5b6c
Instruction Fuzzy Hash: E0C14C76A0020AEFDB14CFA4C894BAEB7B9FF88714F108598E519EB251D731ED41DB90

Function 00943E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00943F0B
__alldvrm.LIBCMT ref: 0094410C
__alldvrm.LIBCMT ref: 0094412E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 190cc874151e7127a7039461bbeb22963bf223b9f011ec9ddff340a5e8cf3cbf
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 59A16B71E043869FEB25CF28C891FAEBBF8EF65350F1441ADE5959B281C6388D85CB50

Function 0099342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00993459
CoUninitialize.OLE32 ref: 00993463
VariantInit.OLEAUT32(?), ref: 0099346E
VariantClear.OLEAUT32(?), ref: 0099371B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 935ec8b0fecf0b80df8579ef7bb90e335575e0df46fb52ebc3b7d1f92b6f0a48
Instruction ID: d9a238b1220691538c8208446bcafd7c6083727ef1a453ebd419e70e90c9c199
Opcode Fuzzy Hash: 935ec8b0fecf0b80df8579ef7bb90e335575e0df46fb52ebc3b7d1f92b6f0a48
Instruction Fuzzy Hash: CEA149753042059FCB10DF68C485A6AB7E9FF88714F058859F98A9B362DB30EE41CB92

Function 00970436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009AFC08,?), ref: 009705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009AFC08,?), ref: 00970608
CLSIDFromProgID.OLE32(?,?,00000000,009ACC40,000000FF,?,00000000,00000800,00000000,?,009AFC08,?), ref: 0097062D
_memcmp.LIBVCRUNTIME ref: 0097064E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a1f29184e08b9db128f512bf12c9c40267e135d5e3d7696e1f0bbc422b1d3703
Instruction ID: cf986d0c9e676ecfd0a14bb207b2e0f040581c63d519d2f0390cf424363b4fce
Opcode Fuzzy Hash: a1f29184e08b9db128f512bf12c9c40267e135d5e3d7696e1f0bbc422b1d3703
Instruction Fuzzy Hash: 6C810972A00109EFCB04DF94C994EEEB7B9FF89315F208558F516AB250DB71AE46CB60

Function 0099A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0099A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0099A6BA

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Process32NextW.KERNEL32(00000000,?), ref: 0099A79C
CloseHandle.KERNEL32(00000000), ref: 0099A7AB

Part of subcall function 0092CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00953303,?), ref: 0092CE8A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2ab6bc568fb599b6d238aa575dc00c69fdb28012a7075fa30698fad76b5d889c
Instruction ID: 40e8d05b46da4e2ac87387fb2efec90aee96a97c92d7a696608e2f127569adcb
Opcode Fuzzy Hash: 2ab6bc568fb599b6d238aa575dc00c69fdb28012a7075fa30698fad76b5d889c
Instruction Fuzzy Hash: 49515EB1608314AFD710EF24D886A6BBBE8FFC9754F00891DF59597261EB30E944CB92

Function 00951391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009514C0

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 476aed1dde627c2ff6a3ba124e8044b554468575aee42659ed9df8d2a1c5d9e2
Instruction ID: 6b8254c881d69665c8b2d5cf03d4d41cc6f950723f50cb8349f4bcb01fb7b0d4
Opcode Fuzzy Hash: 476aed1dde627c2ff6a3ba124e8044b554468575aee42659ed9df8d2a1c5d9e2
Instruction Fuzzy Hash: E2414A31A00111ABDB25EFFB9C45BBF3AA8EF81371F140625FC29D61A2E67488455761

Function 009A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009A62E2
ScreenToClient.USER32(?,?), ref: 009A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009A6382

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7ab156543fd399c4e73af6662625f9888d3ce0761e05e2e07ab8b4790d24b85b
Instruction ID: 84ee6f478c201331ee9e15522f2b29184885d0288652440b4462d3e06e8a5ba6
Opcode Fuzzy Hash: 7ab156543fd399c4e73af6662625f9888d3ce0761e05e2e07ab8b4790d24b85b
Instruction Fuzzy Hash: F1514D74A00249EFCF10DF68D880AAE7BB9FF46364F148159F9159B2A1DB30ED81DB90

Function 00991AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00991AFD
WSAGetLastError.WSOCK32 ref: 00991B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00991B8A
WSAGetLastError.WSOCK32 ref: 00991B94

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 9fbb910e274ddfeeac1df0af7d8b66cf77d22d7acb3c88ba4f72957cf71aa852
Instruction ID: 85442beb05b77da95f246fb91511b16cec9069f7acf5c24c865e2e893e8dda19
Opcode Fuzzy Hash: 9fbb910e274ddfeeac1df0af7d8b66cf77d22d7acb3c88ba4f72957cf71aa852
Instruction Fuzzy Hash: 2B4190747402016FEB20AF24D886F6577E5AF84718F548458F91A9F3D3E772ED828B90

Function 0094B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7d0eee610c1d4a4e42be1377442c75c92a6093f67766a251710d255d81a3d0
Instruction ID: 36e4fb35fe0fe02a8cd5d979d2cc4c7429afceb58066fac6880bd8e2e484b210
Opcode Fuzzy Hash: ee7d0eee610c1d4a4e42be1377442c75c92a6093f67766a251710d255d81a3d0
Instruction Fuzzy Hash: D8410675A00304AFD7249F38CC42FAABBE9EBC8720F10452AF556DB692D771E9058B80

Function 009856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00985783
GetLastError.KERNEL32(?,00000000), ref: 009857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009857FA

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 715b05cfb5a2a805d117f0492102d295f43dfb3dfb750d051e69f9ed461e9d97
Instruction ID: 7725e9f69d064ddaeff9b5f7020b40ae73872f18f86c387ae177ea07e23521de
Opcode Fuzzy Hash: 715b05cfb5a2a805d117f0492102d295f43dfb3dfb750d051e69f9ed461e9d97
Instruction Fuzzy Hash: B2411639704615DFCB11EF55C444A5ABBF6AF89320B198888E84AAB362CB34FD41CB91

Function 0094D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00936D71,00000000,00000000,009382D9,?,009382D9,?,00000001,00936D71,8BE85006,00000001,009382D9,009382D9), ref: 0094D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0094D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0094D9AB
__freea.LIBCMT ref: 0094D9B4

Part of subcall function 00943820: RtlAllocateHeap.NTDLL(00000000,?,009E1444,?,0092FDF5,?,?,0091A976,00000010,009E1440,009113FC,?,009113C6,?,00911129), ref: 00943852

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6682a84f7822e22c9df4d8adc44917efcde4c89f8fcb8d42aaa0b0623f1f520c
Instruction ID: c9dd804ead9d42ee0661dc710e0c6a7380808109093db5e71419d2563056833c
Opcode Fuzzy Hash: 6682a84f7822e22c9df4d8adc44917efcde4c89f8fcb8d42aaa0b0623f1f520c
Instruction Fuzzy Hash: A331BC72A0220AABDF24DF65DC45EAE7BA9EF81710F054168FC04DB290EB35DD50CBA0

Function 009A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 009A5352
GetWindowLongW.USER32(?,000000F0), ref: 009A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009A53A8

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 18cd4362cd20e03a6b7d322829a821eb2be4a501d05af6dc01de4014487d547b
Instruction ID: ad11ec6a7386e731637163129bb790c3d0e5578b3217aca87bad22bee62cca11
Opcode Fuzzy Hash: 18cd4362cd20e03a6b7d322829a821eb2be4a501d05af6dc01de4014487d547b
Instruction Fuzzy Hash: 4B31D030B59A08FFEF349A14CC46BE83769AB86390F594401FA11961E1CBB59D80EBC1

Function 0097AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0097ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0097AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0097AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0097ACC6

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d9edba437dace82c9010ebcab495d62a0512afd6d4e3bb8837a8c9b01e7cbdd1
Instruction ID: 8ccea165bc31c9fdb6c66cc926c821f1fa827fae524946d47502415739987eb7
Opcode Fuzzy Hash: d9edba437dace82c9010ebcab495d62a0512afd6d4e3bb8837a8c9b01e7cbdd1
Instruction Fuzzy Hash: 41311872A04218BFEF26CB658805BFE7AA9AFC5310F0CC61AE4C9561D1C37889819792

Function 009A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009A769A
GetWindowRect.USER32(?,?), ref: 009A7710
PtInRect.USER32(?,?,009A8B89), ref: 009A7720
MessageBeep.USER32(00000000), ref: 009A778C

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0a785c2a6ac649b7e35d66bf67f186d0d79024ca4a029c6f83ed8c8e8df3fc2d
Instruction ID: 5fd97ac3e3c256a4f41daabea7c4152fc785d6ffa0e17bb1a901a922f3b2da43
Opcode Fuzzy Hash: 0a785c2a6ac649b7e35d66bf67f186d0d79024ca4a029c6f83ed8c8e8df3fc2d
Instruction Fuzzy Hash: D4417A34A09255DFCB01CF98DC96EA9B7F9FF4A314F1940A8E8149F262D730A941DBD0

Function 009A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009A16EB

Part of subcall function 00973A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00973A57
Part of subcall function 00973A3D: GetCurrentThreadId.KERNEL32 ref: 00973A5E
Part of subcall function 00973A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009725B3), ref: 00973A65

GetCaretPos.USER32(?), ref: 009A16FF
ClientToScreen.USER32(00000000,?), ref: 009A174C
GetForegroundWindow.USER32 ref: 009A1752

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 56cb23cde809e34f21ef469d8bd6c79b4139e2e52b40fd2efb019b59b2f9063c
Instruction ID: b5ef865e7098affe4f719015f6eff2ec78372ebc967ee029a5fb4209dbeedc75
Opcode Fuzzy Hash: 56cb23cde809e34f21ef469d8bd6c79b4139e2e52b40fd2efb019b59b2f9063c
Instruction Fuzzy Hash: 07311DB5E04249AFC704EFA9C8819EEBBF9EF89304B5480A9E415E7211D631DE45CBA0

Function 009A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

GetCursorPos.USER32(?), ref: 009A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00967711,?,?,?,?,?), ref: 009A9016
GetCursorPos.USER32(?), ref: 009A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00967711,?,?,?), ref: 009A9094

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 249cce87100b9fd79634ea454df9e2adc4cf27bbbce368266d5f3ff692789568
Instruction ID: 3f92d2db6212e650c316a7655b0a6c9f612d8a8595866500495c3c4671e4900c
Opcode Fuzzy Hash: 249cce87100b9fd79634ea454df9e2adc4cf27bbbce368266d5f3ff692789568
Instruction Fuzzy Hash: ED219F35615028EFCB258F94D898EEA7BB9FF8A390F144055F9054B261C3319D90EBA0

Function 0097D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009ACB68), ref: 0097D2FB
GetLastError.KERNEL32 ref: 0097D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0097D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009ACB68), ref: 0097D376

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e1a32aab0e313374ee48225a09d310f139535b1370395370a9ef6ed85e09148b
Instruction ID: 01d56c5fa31bdc271d900303ef3f6b148e30021540f20191cc205bd905df07ab
Opcode Fuzzy Hash: e1a32aab0e313374ee48225a09d310f139535b1370395370a9ef6ed85e09148b
Instruction Fuzzy Hash: A621837160A2019F8710DF24C8819AA77F8EF96768F108A1DF4A9C72A1DB31D946CB93

Function 00971571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00971014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0097102A
Part of subcall function 00971014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00971036
Part of subcall function 00971014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971045
Part of subcall function 00971014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0097104C
Part of subcall function 00971014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00971062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009715BE
_memcmp.LIBVCRUNTIME ref: 009715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00971617
HeapFree.KERNEL32(00000000), ref: 0097161E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: da966432ad8d3aef1804a9f5e5015fbd10c1d58203c473cf1e1573a3ceb5434b
Instruction ID: 0af4764b63b787bb30f68479fb4207a0bd0111bf373acf69c66906f111aa0974
Opcode Fuzzy Hash: da966432ad8d3aef1804a9f5e5015fbd10c1d58203c473cf1e1573a3ceb5434b
Instruction Fuzzy Hash: 2A21A172E00109EFDF14DFA8C945BEEB7B8EF45344F198459E445AB241E730AA05EF90

Function 009A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009A2840

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6ec8fc21cb116e70e0bb65c22190b88491a366d06833e1f105c05f53d05cad54
Instruction ID: 00b755b965804ecaacd386061aad213b6b3239b72eaff494c3d6883c900f13dd
Opcode Fuzzy Hash: 6ec8fc21cb116e70e0bb65c22190b88491a366d06833e1f105c05f53d05cad54
Instruction Fuzzy Hash: 2E21CF31608515AFD7149B28C844FAA7B9AEF87324F148158F4268F6E2CB75FD82CBD0

Function 009778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00978D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0097790A,?,000000FF,?,00978754,00000000,?,0000001C,?,?), ref: 00978D8C
Part of subcall function 00978D7D: lstrcpyW.KERNEL32(00000000,?,?,0097790A,?,000000FF,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00978DB2
Part of subcall function 00978D7D: lstrcmpiW.KERNEL32(00000000,?,0097790A,?,000000FF,?,00978754,00000000,?,0000001C,?,?), ref: 00978DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00977923
lstrcpyW.KERNEL32(00000000,?,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00977949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00978754,00000000,?,0000001C,?,?,00000000), ref: 00977984

Strings

cdecl, xrefs: 0097797B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 66392da2c44e8e859954aa711312dece47994877ae41f1f09113dd45ae699716
Instruction ID: ba1e4c836afca9a51bbeedbc3f57db3f17a4fb89effdb772499c6553e5186305
Opcode Fuzzy Hash: 66392da2c44e8e859954aa711312dece47994877ae41f1f09113dd45ae699716
Instruction Fuzzy Hash: DA11063B205201AFCB155F74D849E7BB7A9FF85390B00802AF90ACB2A4EF319801D791

Function 009A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0098B7AD,00000000), ref: 009A7D6B

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9345cda7494cfa63156823855fd31d12384e73a1ff661b159bf5a79cfbe66bbe
Instruction ID: bfa8603f08a52de0ec0d6fa2fbc44c639e5b2423ef5947ee64fb7a0a96c564d1
Opcode Fuzzy Hash: 9345cda7494cfa63156823855fd31d12384e73a1ff661b159bf5a79cfbe66bbe
Instruction Fuzzy Hash: AA11A271618665AFCB109F68DC04A6A7BA9AF47360B154724F835DB2F0D7309D50DB90

Function 009A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009A56BB
_wcslen.LIBCMT ref: 009A56CD
_wcslen.LIBCMT ref: 009A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 009A5816

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 5da412b72da1146b8969910f09536c86fa45e6280437bba622cec2e8e31b1a03
Instruction ID: c7f0120b3d2725ad2ab30abfa27b8507995c1881e826f75600b2517e33ecf5e2
Opcode Fuzzy Hash: 5da412b72da1146b8969910f09536c86fa45e6280437bba622cec2e8e31b1a03
Instruction Fuzzy Hash: F211EE71B00608A6DB20DFA28C81AEE77ACAF46760F504426F905DA081EB748A80CBE0

Function 00941D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d239b9e6250e66046b7bd53ab6d81095028b35b48100f9e36ca5982c90593fd
Instruction ID: 188123f34d3e62c0d793462afa8867b972a849d66afb0351cc1866618ca0b6f1
Opcode Fuzzy Hash: 1d239b9e6250e66046b7bd53ab6d81095028b35b48100f9e36ca5982c90593fd
Instruction Fuzzy Hash: 76016DF2A196167FF6212AB86CC1F67671DEF863B8B340726F531A51D2DB709C805170

Function 00971A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00971A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00971A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00971A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00971A8A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 51ada7ac6a7407a3e7f02f268c9cf4b41ad6cbb8fa6e1d22807fa1ae852444cc
Instruction ID: 2972cac6c2b8b8b5d5d458d3a5a65f137522404f672732175676873b76ad4f47
Opcode Fuzzy Hash: 51ada7ac6a7407a3e7f02f268c9cf4b41ad6cbb8fa6e1d22807fa1ae852444cc
Instruction Fuzzy Hash: CE11097AD01219FFEF11DBA9CD85FADBB78EB08750F204091EA04B7290D6716E50DB94

Function 0097E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0097E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0097E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0097E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0097E24D

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 20caa669e6461443dbc65ec7b067c62689cef7124bf4368686f0b89321a10e7f
Instruction ID: cbf8c18b64daf938d2def18648d9192c8d48c8eb65ca27e98510bb32a9fd7db4
Opcode Fuzzy Hash: 20caa669e6461443dbc65ec7b067c62689cef7124bf4368686f0b89321a10e7f
Instruction Fuzzy Hash: 36112BB6A1C254BBC7019FA89C45A9F7FAC9F45310F008255F828E7291D670CD0097A0

Function 0093D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0093CFF9,00000000,00000004,00000000), ref: 0093D218
GetLastError.KERNEL32 ref: 0093D224
__dosmaperr.LIBCMT ref: 0093D22B
ResumeThread.KERNEL32(00000000), ref: 0093D249

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ed857dd12e9e6af20dbc262725c953deefe9b55089a855a3e477c1cfa54f30ae
Instruction ID: b78b0078b67c0c893b01fc0ff2e2e7888cea96702683c88217a50d85311c5507
Opcode Fuzzy Hash: ed857dd12e9e6af20dbc262725c953deefe9b55089a855a3e477c1cfa54f30ae
Instruction Fuzzy Hash: 1801D27680A204BBCB215BA5EC19BAB7A6DEFC2731F100219F935961D0CF71C901DBA0

Function 009A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00929BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00929BB2

GetClientRect.USER32(?,?), ref: 009A9F31
GetCursorPos.USER32(?), ref: 009A9F3B
ScreenToClient.USER32(?,?), ref: 009A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 009A9F7A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4ea752cc2753f7d605464ad997915417952cc65513f88bcfa02df604fe14881e
Instruction ID: 0f00dc4d5612ece75648b1bf243a34e629a272eb93dc098696d1c8de522854df
Opcode Fuzzy Hash: 4ea752cc2753f7d605464ad997915417952cc65513f88bcfa02df604fe14881e
Instruction Fuzzy Hash: F511107290425AAFDB149FA8D889AEE77B8FB46311F000451FA01E6140D330AE81DBE1

Function 0091600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0091604C
GetStockObject.GDI32(00000011), ref: 00916060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0091606A

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 56f14451bc1f41fb615e349d2e1378f685e8791c6d5c6e2454792bf1dba58ee1
Instruction ID: aac3bf5fb201c983e6ec64ce6d1374c2964360607726ed3b4b9e955a80bd1ab8
Opcode Fuzzy Hash: 56f14451bc1f41fb615e349d2e1378f685e8791c6d5c6e2454792bf1dba58ee1
Instruction Fuzzy Hash: 641161B2A0654DBFEF128F959C54EEA7B6DEF0D354F040115FA1456110D7369CA0EB90

Function 00933B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00933B56

Part of subcall function 00933AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00933AD2
Part of subcall function 00933AA3: ___AdjustPointer.LIBCMT ref: 00933AED

_UnwindNestedFrames.LIBCMT ref: 00933B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00933B7C
CallCatchBlock.LIBVCRUNTIME ref: 00933BA4

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 17cd71064e37e25c27029b45e13a93f5f9d793c3972f7c39faf04ff6fb2395e1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8B012932140148BBDF125E95CC46EEB7B7EEF88754F058014FE48A6121C736E961DFA0

Function 00943073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009113C6,00000000,00000000,?,0094301A,009113C6,00000000,00000000,00000000,?,0094328B,00000006,FlsSetValue), ref: 009430A5
GetLastError.KERNEL32(?,0094301A,009113C6,00000000,00000000,00000000,?,0094328B,00000006,FlsSetValue,009B2290,FlsSetValue,00000000,00000364,?,00942E46), ref: 009430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0094301A,009113C6,00000000,00000000,00000000,?,0094328B,00000006,FlsSetValue,009B2290,FlsSetValue,00000000), ref: 009430BF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e28388e6cc3f6e07f4e79751f9cf8b18ef4fd148f7d33d41a47721bd84c48176
Instruction ID: e29daa5ab2b73fcf84d74aa1cb42ec7e68291b84dbeec15d0ba4cf76fc135e8a
Opcode Fuzzy Hash: e28388e6cc3f6e07f4e79751f9cf8b18ef4fd148f7d33d41a47721bd84c48176
Instruction Fuzzy Hash: 6801DB72729222ABCB314B799C45E577B9CAF46B71B218720F915E7140DB25DD01C6E0

Function 00977464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0097747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00977497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009774CA

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 658524f9d13f1b9617a0b1973a2446289032bc5039b5bd198d389aa0c2b4d23c
Instruction ID: 1af79b64ee70bf544f5c8fb6e5e0b5d88e29b10cca5d9aee39ca160d44605252
Opcode Fuzzy Hash: 658524f9d13f1b9617a0b1973a2446289032bc5039b5bd198d389aa0c2b4d23c
Instruction Fuzzy Hash: B21161B62093159BE7208FA4DC09F92BFFDEF04B04F10C969A65ADA161D7B4E904DB90

Function 0097B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0097ACD3,?,00008000), ref: 0097B126

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 73482896d8d728cebb8a5a718f65c516aa01c045cd48bf5f13865f8accb7ac00
Instruction ID: bdcae5d88ab0548701625d369c4ae4a6bf496b7928c518aadb5f93006b7a4fd0
Opcode Fuzzy Hash: 73482896d8d728cebb8a5a718f65c516aa01c045cd48bf5f13865f8accb7ac00
Instruction Fuzzy Hash: 7E11AD72E0952DEBCF00AFE4E9A87EEBB78FF0A711F008086D945B2185CB304651DB91

Function 00972DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00972DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00972DD6
GetCurrentThreadId.KERNEL32 ref: 00972DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00972DE4

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8eb5f0e0caf6b022109d260ae8517d14923b09bbf1c85644ba899db77ce434a5
Instruction ID: 9373eace9b1cc9f0303d78c7c58965f0655bf1b388cac5bc1ef0698afcc6c2d4
Opcode Fuzzy Hash: 8eb5f0e0caf6b022109d260ae8517d14923b09bbf1c85644ba899db77ce434a5
Instruction Fuzzy Hash: 91E092B26292247BD7305B729C0DFEB3E6CFF43BA1F004015F109D90809AA4C840D6F0

Function 009A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00929639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00929693
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296A2
Part of subcall function 00929639: BeginPath.GDI32(?), ref: 009296B9
Part of subcall function 00929639: SelectObject.GDI32(?,00000000), ref: 009296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009A8887
LineTo.GDI32(?,?,?), ref: 009A8894
EndPath.GDI32(?), ref: 009A88A4
StrokePath.GDI32(?), ref: 009A88B2

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: fe061232b8aaec2fa76543ca7efbca313dee25c2f3301ba233c3487b358b61fd
Instruction ID: c14f3fd7b7c4ad321b594bbe86ddcb84e54d2b223e528762e59ec7b73a09ea11
Opcode Fuzzy Hash: fe061232b8aaec2fa76543ca7efbca313dee25c2f3301ba233c3487b358b61fd
Instruction Fuzzy Hash: 13F03A36059268BADB125F94AC0DFCE3A59AF07310F448000FA11690E2CB795511EBE9

Function 009298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009298CC
SetTextColor.GDI32(?,?), ref: 009298D6
SetBkMode.GDI32(?,00000001), ref: 009298E9
GetStockObject.GDI32(00000005), ref: 009298F1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f92155ba614450e2a18bdb226d59a672d1147eb50cdf0588a2fb20b62eae2a54
Instruction ID: 089931c3ea8bde31a18ab66ba35b4676c7736c79319cfec15e08c68d58df2d0b
Opcode Fuzzy Hash: f92155ba614450e2a18bdb226d59a672d1147eb50cdf0588a2fb20b62eae2a54
Instruction Fuzzy Hash: DBE06D7125C280AADB215B74BC09BE87F65EF1333AF048219F6FA580E1C7724680AB10

Function 0097162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00971634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009711D9), ref: 0097163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009711D9), ref: 00971648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009711D9), ref: 0097164F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0b77bc6c4a2737abb482b46f4fb766000b3239bc9a25e4342a1c2c92b4665621
Instruction ID: 91c169c0b5c48bb9028b39abcf09eb1dfe6a8bd34899d1e0ed213066168ae61f
Opcode Fuzzy Hash: 0b77bc6c4a2737abb482b46f4fb766000b3239bc9a25e4342a1c2c92b4665621
Instruction Fuzzy Hash: 4DE086B2615221DBDB201FA49D0DB473B7CAF46791F158808F645DD080DB348540D790

Function 0096D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0096D858
GetDC.USER32(00000000), ref: 0096D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0096D882
ReleaseDC.USER32(?), ref: 0096D8A3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: efe7ee3ff9bbcf0b09a75d5d50fe20efc4147e7003aaeb56c14e84e267179719
Instruction ID: 1062c477875888e799789d2b66ce3693884a916efc5e80cf0b34bcb05f3b6988
Opcode Fuzzy Hash: efe7ee3ff9bbcf0b09a75d5d50fe20efc4147e7003aaeb56c14e84e267179719
Instruction Fuzzy Hash: 3CE0E5B0914209DFCB419FA0980C66DBBB1EF09310B108409E806EB350CB389941AF80

Function 0096D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0096D86C
GetDC.USER32(00000000), ref: 0096D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0096D882
ReleaseDC.USER32(?), ref: 0096D8A3

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5fedeed2468cb2538c96910160eeea80f122a5288e98fd54525f2eafaa6d2ffe
Instruction ID: 3fe37e328ac8dee5d13c5d239e1e3cc0e5c0a47a432dd998ac4d3c51ac1bc7d7
Opcode Fuzzy Hash: 5fedeed2468cb2538c96910160eeea80f122a5288e98fd54525f2eafaa6d2ffe
Instruction Fuzzy Hash: DBE01AB0814209DFCF419FA0D80C66DBBB1FF09310B108408E806EB350CB389901AF80

Function 00984D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00917620: _wcslen.LIBCMT ref: 00917625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00984ED4

Strings

LPT, xrefs: 00984DFB
*, xrefs: 00984E10

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 37d7afef037c53ffc85272fe66d165e0ec94479728f3ab9a58de9dc40e6c070a
Instruction ID: d262b2db2139caa1627ffb27299d440940ee6bfedcc55bb087357a1534704374
Opcode Fuzzy Hash: 37d7afef037c53ffc85272fe66d165e0ec94479728f3ab9a58de9dc40e6c070a
Instruction Fuzzy Hash: 73915175A002059FCB14EF58C484EAABBF5BF48308F19809DE94A9F362D735ED85CB91

Function 0093E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0093E30D

Strings

pow, xrefs: 0093E2E5, 0093E302

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fec79a6b09585fbb6908e56f80201908f183c1fb27e4c45fbd2e97b17adf4876
Instruction ID: 77ad4cb58785666f566a640ac39f7a74d40fd8907e56e6832c5c053573e4f18e
Opcode Fuzzy Hash: fec79a6b09585fbb6908e56f80201908f183c1fb27e4c45fbd2e97b17adf4876
Instruction Fuzzy Hash: 9F518E61E2C20A96CB157764CE45BBBBBACEF40750F344E58E0E5423F9EB348C919E46

Function 0092E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0092E1B1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ae419e96b0c256e2733a55e21e634b3d054da20f80570a47a1a008d2e59ff8e2
Instruction ID: 5ba1449660442d5a0a762fd75a6d46748f0419b37fd5440859743473a53e1b93
Opcode Fuzzy Hash: ae419e96b0c256e2733a55e21e634b3d054da20f80570a47a1a008d2e59ff8e2
Instruction Fuzzy Hash: 19513579A0425ADFDF15DF28D081AFA7BA8EF56310F248055F8A29B2C4D7349D42CBA0

Function 0092F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0092F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0092F2BB

Strings

@, xrefs: 0092F2AF

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 85a9c248a0471ba8d97101732512b2b52dc65286e641af2a3c21f52d3117525c
Instruction ID: 7384f24a0501f910b331ffbbfff6dda2a15fdcf607a75f7868364b4e34af7498
Opcode Fuzzy Hash: 85a9c248a0471ba8d97101732512b2b52dc65286e641af2a3c21f52d3117525c
Instruction Fuzzy Hash: 125135719187499BD320EF50D886BABBBF8FFC5300F81885DF199411A5EB308569CB66

Function 00995745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009957E0
_wcslen.LIBCMT ref: 009957EC

Strings

CALLARGARRAY, xrefs: 009957E6, 009957EB

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6a7a561694cabd4adb644064d014a704a5d9f40175add5e4106408243e4c0529
Instruction ID: f4544ce7134ebc064cbddc544c9a7cfeaf45488d4c9220f8296622005ad2a630
Opcode Fuzzy Hash: 6a7a561694cabd4adb644064d014a704a5d9f40175add5e4106408243e4c0529
Instruction Fuzzy Hash: 10418171A002099FCF15DFA9C8859BEBBF9EF99324F114069E505A7261E7349D81CB90

Function 0098D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0098D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0098D13A

Strings

|, xrefs: 0098D10B

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ca68243524e967fa3712cd4179f343ce074e7abb3671db2186a4666bfd744968
Instruction ID: bb0b8ddb2e018445115b17b7a0866350073575d28ca7ccbfe3975e3deb0b0e1c
Opcode Fuzzy Hash: ca68243524e967fa3712cd4179f343ce074e7abb3671db2186a4666bfd744968
Instruction Fuzzy Hash: 46313D71D01209ABCF15EFA4CC85AEE7FB9FF45300F000119F815A6265DB35AA56DB50

Function 009A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009A365C

Strings

static, xrefs: 009A35BC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3282456b6dcd285e505d274030cd0b2a867d0ecd09ec272d73b2d11ee9f9a7fd
Instruction ID: 7737a6908a05b9944658498003d950709e879332f3767a0c05029da4739732eb
Opcode Fuzzy Hash: 3282456b6dcd285e505d274030cd0b2a867d0ecd09ec272d73b2d11ee9f9a7fd
Instruction Fuzzy Hash: 55318B71510204AEDB109F68DC81FFB73ADFF89724F009619F8A997280DA31AD81DBA0

Function 009A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 009A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009A4634

Strings

', xrefs: 009A458E

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 178ccf72854ce4abbf2a7deebc736ab61a484506534db539524a9fff2e5dd14f
Instruction ID: 35dfe155be1aec3b18b2a1fcae168c03b690118e6032784891f0b64d8389d74e
Opcode Fuzzy Hash: 178ccf72854ce4abbf2a7deebc736ab61a484506534db539524a9fff2e5dd14f
Instruction Fuzzy Hash: 3331F774A0130A9FDB14CFA9C991BDA7BB9FF8A300F14546AE905AB351D7B0A941CF90

Function 009A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009A3287

Strings

Combobox, xrefs: 009A3249

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: fea32e20c783ec451c51aa97feaffa4335176d172559b3bc93215237478ab09e
Instruction ID: 7c18ca3c8fe441c50d9aa989cc116a3961fc57e4fbdecbe0c477013900b33486
Opcode Fuzzy Hash: fea32e20c783ec451c51aa97feaffa4335176d172559b3bc93215237478ab09e
Instruction Fuzzy Hash: 6C11B2713042087FEF219E94DC81FBB3B6EEB9A3A4F108125F9289B290D6319D5197E0

Function 009A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0091600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0091604C
Part of subcall function 0091600E: GetStockObject.GDI32(00000011), ref: 00916060
Part of subcall function 0091600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0091606A

GetWindowRect.USER32(00000000,?), ref: 009A377A
GetSysColor.USER32(00000012), ref: 009A3794

Strings

static, xrefs: 009A3757

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 081f6e8dd4c7d93f3c472e50b68b656902bc660303fb57b1a86291bf747f085b
Instruction ID: 673f8650188b1a1468b51203f64980689c11cbbd4697daff66f6eb14de3bdb49
Opcode Fuzzy Hash: 081f6e8dd4c7d93f3c472e50b68b656902bc660303fb57b1a86291bf747f085b
Instruction Fuzzy Hash: C61129B2610209AFDB00DFA8CC45EFA7BF8EF09354F004914F955E6250E735E8519BA0

Function 0098CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0098CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0098CDA6

Strings

<local>, xrefs: 0098CD66

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fe40437733306bc6ffda3446a692e4c669ac6804ce2c00b6645a6ca4ac4de00e
Instruction ID: 682928ee6de5f9059c5f072562b842bc8da55461841e710c5c41945821c2157c
Opcode Fuzzy Hash: fe40437733306bc6ffda3446a692e4c669ac6804ce2c00b6645a6ca4ac4de00e
Instruction Fuzzy Hash: 2F11C2F1215631BAD7387B668C49EE7BEACEF127A4F00462AB10A932C0D7749841D7F0

Function 009A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009A34BA

Strings

edit, xrefs: 009A348F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ae0172db0bace4d48b1b0422222a84e9e6cdd68ddd409694d9decea27a7a5369
Instruction ID: cc52b3f4680792527be0b451b41756eee230bb616a57a8cc332cd79e878e8bfb
Opcode Fuzzy Hash: ae0172db0bace4d48b1b0422222a84e9e6cdd68ddd409694d9decea27a7a5369
Instruction Fuzzy Hash: EB118F71514208AFEB118F64DC84AEB37AEEF4A378F508724F961971E0C775DC919B90

Function 00976C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

CharUpperBuffW.USER32(?,?,?), ref: 00976CB6
_wcslen.LIBCMT ref: 00976CC2

Strings

STOP, xrefs: 00976CBC, 00976CC1

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 00a8bf65a0c5892a29d5a42b7cd7c36886da84c0faece7d3d4811182c1151bea
Instruction ID: af52c6e27cad0224979a6aacf758b9fcc1c6c071f56c8f4d282df043eaf34a93
Opcode Fuzzy Hash: 00a8bf65a0c5892a29d5a42b7cd7c36886da84c0faece7d3d4811182c1151bea
Instruction Fuzzy Hash: 6B01043361092A8ACB219FBDCC80ABF33A8EBA1710B154924E9AA96190EB35D940C650

Function 00971CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00971D4C

Strings

ComboBox, xrefs: 00971CEB
ListBox, xrefs: 00971D16

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 265dd58f1fd6dc886dffb0d1e50c1cd10c2b90b005421a31cd03dcf228dffd83
Instruction ID: 66d79e30e016e7ae6d68cad7e7e4f9ac20fa714750b97a6f2e7d3178b6ef8a8e
Opcode Fuzzy Hash: 265dd58f1fd6dc886dffb0d1e50c1cd10c2b90b005421a31cd03dcf228dffd83
Instruction Fuzzy Hash: A701DD72741118ABCB14EBA4CD51DFE7368EF86390B04851AFC6A573C1EA3459089B60

Function 00971BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00971C46

Strings

ComboBox, xrefs: 00971BE5
ListBox, xrefs: 00971C10

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bfd9de20ba7bc98ee6437b140fddb47257ca6e80e7e964c372e866ee82e9b2ce
Instruction ID: 9038dc72c3f6d9b0aae974f4813918bbbbbc7faee4a16e3a3cddf28bdbe1c6f6
Opcode Fuzzy Hash: bfd9de20ba7bc98ee6437b140fddb47257ca6e80e7e964c372e866ee82e9b2ce
Instruction Fuzzy Hash: EC01AC7678110867CB05E7D4C952BFF77AC9F51340F284016A98A672C1EA249E08D7B1

Function 00971C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00971CC8

Strings

ComboBox, xrefs: 00971C69
ListBox, xrefs: 00971C94

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 384e3b77f1a32eca173214ae3a54e271f92d11eda73243e1381c6155c320141f
Instruction ID: a8de82b1b8973b2e09f5b7c7cd9221ff5ae4b70e9ff8b525c789cdf0d872625d
Opcode Fuzzy Hash: 384e3b77f1a32eca173214ae3a54e271f92d11eda73243e1381c6155c320141f
Instruction Fuzzy Hash: 4001DB7278011867CB05EBD4CB12BFE73ACAB52340F188016BCCA77281EA249F08D6B1

Function 00971D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00919CB3: _wcslen.LIBCMT ref: 00919CBD

Part of subcall function 00973CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00973CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00971DD3

Strings

ComboBox, xrefs: 00971D75
ListBox, xrefs: 00971DA0

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 020354d158a7b850aae3457ed2cc98754ba70c4aa6b8a06ccc4ea9d5f3960948
Instruction ID: e9bd60dac7667eef45348deabaa210d5f60cb2e16127e1847cf01d6fb538771a
Opcode Fuzzy Hash: 020354d158a7b850aae3457ed2cc98754ba70c4aa6b8a06ccc4ea9d5f3960948
Instruction Fuzzy Hash: 2AF0C872B5121867DB14F7A8CD63FFF777CAF82350F044916B8AB672C1DA645A0886A0

Function 0099747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00997493
_wcslen.LIBCMT ref: 009974B9

Strings

3, 3, 16, 1, xrefs: 00997483

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f617ef0974b9d9e0dcf31bd076da00c77e552322d7b60e41453199061e008ffe
Instruction ID: a892dff809b32e341698267e9fb85c6a598af95205336c425e3cccc7cba4f07b
Opcode Fuzzy Hash: f617ef0974b9d9e0dcf31bd076da00c77e552322d7b60e41453199061e008ffe
Instruction Fuzzy Hash: 49E02B0222422010973112BEACC1B7FD78ECFC9BA0B14182BF985C227BEE949D9193A1

Function 00970B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00970B23

Strings

Error allocating memory., xrefs: 00970B1C
AutoIt, xrefs: 00970B17

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 30adf3c3f47a84e605cc34bef6359a041d9675983c4d78f3cc1fd8ed73a5b499
Instruction ID: 2d192c56f9f7b4076f084f279dfda8e7c3ec74927b7f7e60bb1485a99b6ace8a
Opcode Fuzzy Hash: 30adf3c3f47a84e605cc34bef6359a041d9675983c4d78f3cc1fd8ed73a5b499
Instruction Fuzzy Hash: 08E0D83228431826D22437547C03F897B948F86B24F104427F788595C38FE1649046E9

Function 00930D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0092F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00930D71,?,?,?,0091100A), ref: 0092F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0091100A), ref: 00930D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0091100A), ref: 00930D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00930D7F

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: fc67871011edf38bb45ba5da54364e043e0199f166b96e3ce948171e96810c37
Instruction ID: aaecd429a5fba5df9107e10689256bdc07e92699134114f045377154e4b7ab1f
Opcode Fuzzy Hash: fc67871011edf38bb45ba5da54364e043e0199f166b96e3ce948171e96810c37
Instruction Fuzzy Hash: BCE092B02003518BD7309FBCE4243467BE4AF45744F00492DE8A2CA695DBB1E884DFD1

Function 00983017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0098302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00983044

Strings

aut, xrefs: 00983038

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e51f9c052e7e682f08ab7a6402efcd9b5d4a85147b309d34c80b51300f59ab09
Instruction ID: 35760ccceb3e36b18b07cae0ea591aab88eea8db70edf93e58eff58abf6f0aef
Opcode Fuzzy Hash: e51f9c052e7e682f08ab7a6402efcd9b5d4a85147b309d34c80b51300f59ab09
Instruction Fuzzy Hash: 90D05BB154031477DA2097949D0DFC73B6CDB05750F4001527A65D6095DAB0D544CAD0

Function 009A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009A233F

Part of subcall function 0097E97B: Sleep.KERNEL32 ref: 0097E9F3

Strings

Shell_TrayWnd, xrefs: 009A2325

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 829ea414d765921ed449f1117947d72259392c9c7a4a6dce14e4eaa535808a2b
Instruction ID: 3348573a024e1f8fe924edf04da32ae163f3c2fbd20fc17989f7a6308bc1a60d
Opcode Fuzzy Hash: 829ea414d765921ed449f1117947d72259392c9c7a4a6dce14e4eaa535808a2b
Instruction Fuzzy Hash: 05D0C9767A8310B6E664A7709C0FFC67A149F95B14F0089167759AA1D0C9A0A8019A94

Function 009A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009A236C
PostMessageW.USER32(00000000), ref: 009A2373

Part of subcall function 0097E97B: Sleep.KERNEL32 ref: 0097E9F3

Strings

Shell_TrayWnd, xrefs: 009A2365

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2537233e669e00af4af53962fa00793fbe9aae8dfc7053cffebc0bc1b2ed837a
Instruction ID: 58fc293c0e6c008c8348420756a4fff1f03685ec7fe129d8061ae8d1d0bcbf8b
Opcode Fuzzy Hash: 2537233e669e00af4af53962fa00793fbe9aae8dfc7053cffebc0bc1b2ed837a
Instruction Fuzzy Hash: 71D0C9727D93107AE664A7709C0FFC676149B96B14F0089167755AA1D0C9A0A8019A98

Function 0094BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0094BE93
GetLastError.KERNEL32 ref: 0094BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0094BEFC

Memory Dump Source

Source File: 00000000.00000002.2136611995.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.2136528790.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136902784.00000000009D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137050276.00000000009DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2137108075.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52f207c61d6a3dc5c052c2fb092b961a50d38172f2700c9817f6fa7c4746f135
Instruction ID: 8cc064cf9561afe5c0896ce057f6ecb200aacee755211e5d3567ea291e47b16a
Opcode Fuzzy Hash: 52f207c61d6a3dc5c052c2fb092b961a50d38172f2700c9817f6fa7c4746f135
Instruction Fuzzy Hash: 8F41C334604206AFCF259F65CC54FAA7BA9AF82310F1441A9F95D9B1A1DB30CD05DB90

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2269824620.00001BC655F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269824620.00001BC655F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269626939.0000285493503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2269626939.0000285493503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2270679468.000001786A1D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261258154.000001786A1D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2318457747.000001786A1DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2211138835.0000017866B91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308793268.000001786720D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291908521.0000017866B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2283161765.000001786080F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281571036.00000178608E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2140542793.000001785FFD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281571036.00000178608E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2140542793.000001785FFD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2298428240.000001785F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270679468.000001786A1D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261258154.000001786A1D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2308793268.000001786720D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2269626939.0000285493503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: T4www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269824620.00001BC655F03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: U$://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269626939.0000285493503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: U$://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2296104419.000001786085B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2283161765.000001786081B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2296104419.000001786085B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2283161765.000001786081B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2283161765.000001786080F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2281571036.00000178608E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2273673863.0000105A72403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/xtensioZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2281571036.00000178608E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2140542793.000001785FFD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2318037548.000001785E150000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.000001186440A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2318037548.000001785E150000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.000001186440A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2318037548.000001785E150000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905944109.000001186440A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3905947404.00000153F4B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2260353542.000001786A7B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2303579481.000001785EA19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298428240.000001785F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2270679468.000001786A1D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2269626939.0000285493503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273673863.0000105A72403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2303579481.000001785EA19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308793268.000001786720D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304085435.000001785BB79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2269355916.00000FC05AC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273673863.0000105A72403000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2298428240.000001785F7A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298428240.000001785F7D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49866 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49871 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_299dc3a2-3c2e-47db-b2c5-df0f0b7fd3e6.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_299dc3a2-3c2e-47db-b2c5-df0f0b7fd3e6.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BFTGXSPFX6RGPVI6SEAX.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IKRRYCNOU9MRLOGESE62.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre