Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574233
MD5:	e065205fc134566fda736ccc9be37e12
SHA1:	ee67f894363f08641cc5776c221f506f655f3974
SHA256:	d9fa5d9c0c146db63a04997489362a3991095598941556880dbc5a2d22cc6c35
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E065205FC134566FDA736CCC9BE37E12)

taskkill.exe (PID: 5596 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4632 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7128 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6820 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2836 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1068 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4504 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 984 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 344 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9581fea2-e02b-4ecb-8d33-59ff9b00bbb1} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297ce76d910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7712 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3820 -parentBuildID 20230927232528 -prefsHandle 2720 -prefMapHandle 2688 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76cf4d42-ad86-44da-b0ab-ff06d0696284} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e0806710 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7536 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2532 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3996ec-619f-4f1d-93b6-3ac2be77d329} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e87c6f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6840	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00B2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B2ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00B2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B1AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00B1AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B49576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1725404703.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f20518f3-9
Source: file.exe, 00000000.00000000.1725404703.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_77271b80-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0e4816a9-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_57aa96ae-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000019741948037 NtQuerySystemInformation,		16_2_0000019741948037
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000019741968232 NtQuerySystemInformation,		16_2_0000019741968232

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B1D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B1D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B1E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB8060	0_2_00AB8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B22046	0_2_00B22046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B18298	0_2_00B18298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEE4FF	0_2_00AEE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE676B	0_2_00AE676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B44873	0_2_00B44873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADCAA0	0_2_00ADCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABCAF0	0_2_00ABCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACCC39	0_2_00ACCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE6DD9	0_2_00AE6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB91C0	0_2_00AB91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACB119	0_2_00ACB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD1394	0_2_00AD1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD1706	0_2_00AD1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD781B	0_2_00AD781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD19B0	0_2_00AD19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB7920	0_2_00AB7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC997D	0_2_00AC997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD7A4A	0_2_00AD7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD7CA7	0_2_00AD7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD1C77	0_2_00AD1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE9EEE	0_2_00AE9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3BE44	0_2_00B3BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD1F32	0_2_00AD1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000019741948037	16_2_0000019741948037
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000019741968232	16_2_0000019741968232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000019741968272	16_2_0000019741968272
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001974196895C	16_2_000001974196895C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00ACF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00AD0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/41@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B237B5 GetLastError,FormatMessageW,

0_2_00B237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B110BF AdjustTokenPrivileges,CloseHandle,		0_2_00B110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B1D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B1D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B2648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00B2648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AB42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910373787.00000297EC6F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1909817877.00000297EC791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 28%
Source: file.exe	Virustotal: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9581fea2-e02b-4ecb-8d33-59ff9b00bbb1} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297ce76d910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3820 -parentBuildID 20230927232528 -prefsHandle 2720 -prefMapHandle 2688 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76cf4d42-ad86-44da-b0ab-ff06d0696284} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e0806710 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2532 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3996ec-619f-4f1d-93b6-3ac2be77d329} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e87c6f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9581fea2-e02b-4ecb-8d33-59ff9b00bbb1} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297ce76d910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3820 -parentBuildID 20230927232528 -prefsHandle 2720 -prefMapHandle 2688 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76cf4d42-ad86-44da-b0ab-ff06d0696284} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e0806710 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2532 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3996ec-619f-4f1d-93b6-3ac2be77d329} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e87c6f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000D.00000003.1958573299.00000297DFEA3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1957486662.00000297E0995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1951126022.00000297DDEC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFCE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFC79000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1957990000.00000297E04C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951126022.00000297DDEC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1957708705.00000297E0942000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1944911914.00000297DDEC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1943855527.00000297DDECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFCE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1955039040.00000297E7FCC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1948488885.00000297EC101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFC60000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1957878663.00000297E0917000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000D.00000003.1958573299.00000297DFEA3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000D.00000003.1958573299.00000297DFEA3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb@ source: firefox.exe, 0000000D.00000003.1957486662.00000297E0995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1957708705.00000297E0942000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1943855527.00000297DDECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdbbackground-update source: firefox.exe, 0000000D.00000003.1958573299.00000297DFEA3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1957708705.00000297E0942000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000D.00000003.1957990000.00000297E04C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1946178010.00000297EC101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000D.00000003.1957486662.00000297E0995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.1957486662.00000297E0995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFCE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1957708705.00000297E0942000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1946178010.00000297EC101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFC60000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1957708705.00000297E0942000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1958573299.00000297DFEA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958573299.00000297DFE3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1948488885.00000297EC101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000D.00000003.1958573299.00000297DFE3E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFCE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: nssckbi.pdb@ source: firefox.exe, 0000000D.00000003.1957654072.00000297E0979000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb@ source: firefox.exe, 0000000D.00000003.1957486662.00000297E0995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1957878663.00000297E0917000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFCE9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFC60000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000D.00000003.1958573299.00000297DFEA3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1957878663.00000297E0917000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1944911914.00000297DDEC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1957486662.00000297E0995000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000D.00000003.1959192955.00000297DFC79000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AB42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD0A76 push ecx; ret

0_2_00AD0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00ACF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B41C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96915

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000019741948037 rdtsc

16_2_0000019741948037

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.9 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B1DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B268EE FindFirstFileW,FindClose,	0_2_00B268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00B2698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B1D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B1D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B29642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B2979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00B29B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B25C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00B25C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AB42DE

Source: firefox.exe, 00000010.00000002.3592735923.0000019741E1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: firefox.exe, 00000011.00000002.3591889468.00000246D7090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: file.exe, 00000000.00000003.1729203672.0000000001185000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1728977971.0000000001185000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1728877148.0000000001185000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1728737518.0000000001185000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1728555938.0000000001184000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1729087080.0000000001185000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5HHHHM3
Source: firefox.exe, 00000010.00000002.3592735923.0000019741E1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWs
Source: file.exe, 00000000.00000003.1800428935.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1799847434.0000000001141000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800325049.0000000001142000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1799753609.000000000113C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800613388.0000000001175000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3587870699.000001CBEB27A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3592735923.0000019741E1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3592542753.000001CBEB713000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3592735923.0000019741E1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: firefox.exe, 00000011.00000002.3586623517.00000246D6BAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000010.00000002.3586876220.000001974163A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3593083509.000001CBEBB40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3587870699.000001CBEB27A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3592735923.0000019741E1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000019741948037 rdtsc

16_2_0000019741948037

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B2EAA2 BlockInput,

0_2_00B2EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00AE2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AB42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00AD4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00B10B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AE2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AD083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD09D5 SetUnhandledExceptionFilter,	0_2_00AD09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00AD0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00B11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AF2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AF2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B1B226 SendInput,keybd_event,

0_2_00B1B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00B322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00B10B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B11663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B11663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1927876027.00000297EC101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD0698 cpuid

0_2_00AD0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B0D21C GetLocalTime,

0_2_00B0D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B0D27A GetUserNameW,

0_2_00B0D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AEBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00AEBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AB42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6840, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6840, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00B31204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B31806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.Generic
file.exe	24%	Virustotal		Browse
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.mi.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.78	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1974716008.00000297E6928000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925204547.00000297E6928000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964731725.00000297E690B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3588485455.00000197418C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3588737607.00000246D6FC3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1919857239.00000297DFCE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1922126517.00000297EB544000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3589540558.000001CBEB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3588485455.00000197418F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3592132994.00000246D7203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1879885710.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927359973.00000297E6AAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814031971.00000297E6AA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824534277.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890348317.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828632218.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819664888.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827566739.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815128179.00000297E6AA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3588737607.00000246D6F8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1820978950.00000297E006C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1959192955.00000297DFC7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1919857239.00000297DFCE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1776223028.00000297DE31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776387867.00000297DE33C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776534463.00000297DE35A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776703785.00000297DE377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776062535.00000297DE100000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1922653573.00000297E6C11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1956756781.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964554965.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923851550.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1925032996.00000297E694B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974380436.00000297E6955000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1776223028.00000297DE31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832583098.00000297DFAF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776387867.00000297DE33C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776534463.00000297DE35A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776703785.00000297DE377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776062535.00000297DE100000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000D.00000003.1977260450.00000297E1A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1776223028.00000297DE31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776387867.00000297DE33C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776534463.00000297DE35A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776703785.00000297DE377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776062535.00000297DE100000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000D.00000003.1913928982.00000297E1A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918648034.00000297E09E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957314546.00000297E09E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1975486030.00000297E63EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913451627.00000297E63EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818201561.00000297E0AF4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1963107447.00000297E7F30000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3589540558.000001CBEB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3588485455.00000197418F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3592132994.00000246D7203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1959192955.00000297DFC7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1919334543.00000297DFE7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1910754502.00000297EB58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921508578.00000297EB58A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3589540558.000001CBEB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3588485455.00000197418F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3592132994.00000246D7203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://www.youtube.com/	firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3588737607.00000246D6F0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1863914087.00000297DFF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866728884.00000297DFF7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1922653573.00000297E6C70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964731725.00000297E690B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3588485455.00000197418C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3588737607.00000246D6FC3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1922653573.00000297E6CE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1869289532.00000297DFF66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863914087.00000297DFF66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1881958462.00000297DF7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1921364433.00000297EC6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926151201.00000297E02D7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1922653573.00000297E6C11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1919857239.00000297DFCE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1910754502.00000297EB58A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921508578.00000297EB58A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1959192955.00000297DFC7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912076210.00000297E80CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3588737607.00000246D6F0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1911639938.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1956756781.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964554965.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923851550.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1880513755.00000297DF7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920792693.00000297DF7B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962354553.00000297DE7FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882506947.00000297DE7D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894310774.00000297DFA97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894310774.00000297DFA4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916513341.00000297E105A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977822910.00000297E1A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979386230.00000297E105A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881958462.00000297DF7B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897050371.00000297EB0C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1968769046.00000297DFA65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913928982.00000297E1A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881958462.00000297DF7CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1967333030.00000297DFA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922401836.00000297EB1B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918648034.00000297E09B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912277221.00000297E6B72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970305660.00000297DF7CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879885710.00000297E6AEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827566739.00000297E6A67000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1977260450.00000297E1A70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mi.	firefox.exe, 0000000D.00000003.1931121183.00000297DDE8F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932135199.00000297DDE93000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932768768.00000297DDE93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1979780386.00000297E1029000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916891206.00000297E1029000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977260450.00000297E1A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false		high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1911400529.00000297EB1E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922239592.00000297EB1E8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1912277221.00000297E6BE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923276217.00000297E6BE8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1912277221.00000297E6BE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923276217.00000297E6BE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1879885710.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927359973.00000297E6AAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814031971.00000297E6AA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824534277.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890348317.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828632218.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819664888.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827566739.00000297E6AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815128179.00000297E6AA7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1925032996.00000297E694B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974380436.00000297E695C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1820978950.00000297E006C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1925032996.00000297E694B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974380436.00000297E695C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1778293255.00000297DCA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778814049.00000297DCA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779006099.00000297DCA32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941301077.00000297DCA39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1919857239.00000297DFCAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1959192955.00000297DFCAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1913928982.00000297E1A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977260450.00000297E1A73000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1863914087.00000297DFF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863914087.00000297DFF66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866728884.00000297DFF7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1778293255.00000297DCA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778814049.00000297DCA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779006099.00000297DCA32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941301077.00000297DCA39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3589540558.000001CBEB5CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3588485455.00000197418F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3592132994.00000246D7203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1963107447.00000297E7F30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1820978950.00000297E006C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1922126517.00000297EB544000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1776062535.00000297DE100000.00000004.00000800.00020000.00000000.sdmp	false		high
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1911639938.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1776223028.00000297DE31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832583098.00000297DFAF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776387867.00000297DE33C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776534463.00000297DE35A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820978950.00000297E006C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776703785.00000297DE377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776062535.00000297DE100000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1956756781.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1964554965.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923851550.00000297E6B1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3592210915.000001CBEB600000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3587871798.00000197416C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3588324180.00000246D6D70000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1955039040.00000297E7F04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/	firefox.exe, 0000000D.00000003.1959192955.00000297DFC7E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574233
Start date and time:	2024-12-13 06:39:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/41@73/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.228.225.150, 54.213.181.160, 35.85.93.176, 172.217.17.46, 88.221.134.155, 88.221.134.209, 142.250.181.106, 23.218.208.109, 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
dyna.wikimedia.org	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.58.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.121.53
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.252.209.208
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.252.209.208
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cdd0de23-27da-4499-8c01-b2b6a4720476.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181672308371828
Encrypted:	false
SSDEEP:	192:ijMX02pcbhbVbTbfbRbObtbyEl7n8rmJA6WnSrDtTUd/SkDrD:iYVcNhnzFSJcrlBnSrDhUd/1
MD5:	AC3707E22DEFCE40403836786E12332F
SHA1:	0022B90B26C6A611B1E58186F084B73E6F32B067
SHA-256:	B89041684BFDE7AD8F3AA1B9893849A48EBC6DBB6ECE15E7A79C3B42B20D6217
SHA-512:	5745779E4C2B8781B4E051AEC90D6B419986D7E2BE4E898F1B430AF77DB07047BEEE0CCB4269891DB9B93FC24F4ADA204A931748C114709C824286FC4AF0613F
Malicious:	false
Preview:	{"type":"uninstall","id":"cdd0de23-27da-4499-8c01-b2b6a4720476","creationDate":"2024-12-13T07:03:00.648Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cdd0de23-27da-4499-8c01-b2b6a4720476.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181672308371828
Encrypted:	false
SSDEEP:	192:ijMX02pcbhbVbTbfbRbObtbyEl7n8rmJA6WnSrDtTUd/SkDrD:iYVcNhnzFSJcrlBnSrDhUd/1
MD5:	AC3707E22DEFCE40403836786E12332F
SHA1:	0022B90B26C6A611B1E58186F084B73E6F32B067
SHA-256:	B89041684BFDE7AD8F3AA1B9893849A48EBC6DBB6ECE15E7A79C3B42B20D6217
SHA-512:	5745779E4C2B8781B4E051AEC90D6B419986D7E2BE4E898F1B430AF77DB07047BEEE0CCB4269891DB9B93FC24F4ADA204A931748C114709C824286FC4AF0613F
Malicious:	false
Preview:	{"type":"uninstall","id":"cdd0de23-27da-4499-8c01-b2b6a4720476","creationDate":"2024-12-13T07:03:00.648Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312172402789167
Encrypted:	false
SSDEEP:	24:y/dfm6Ad+TIUx2dWoM15QLN8zmwsdfm6Ad+swM+bpoqdWoM15QLFX1Rgmwudfm6u:y/d6BUgdwdzjsd6X6Bdwbjud6XadwJ1
MD5:	EEB18BEDDBCF340912FB39A73A6BFA06
SHA1:	2C5CEA9DC0AD20EC02320FB4AC5B556AEE96E7EB
SHA-256:	D5CDB42BD5E583554B13777A9E4AE6039892E245BDE098ACD2F1496F76CD7FF1
SHA-512:	E45BCD096BC8DC39ACC37124A7A5A020612907BDF08840BE73D857DF33A8D426DC71CAD543B42C4D72FA0BE2D01AFF27280B7E32D24E43BAA2310C93CD447484
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........[.!M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y.-....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.-............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.-..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........{.?......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312172402789167
Encrypted:	false
SSDEEP:	24:y/dfm6Ad+TIUx2dWoM15QLN8zmwsdfm6Ad+swM+bpoqdWoM15QLFX1Rgmwudfm6u:y/d6BUgdwdzjsd6X6Bdwbjud6XadwJ1
MD5:	EEB18BEDDBCF340912FB39A73A6BFA06
SHA1:	2C5CEA9DC0AD20EC02320FB4AC5B556AEE96E7EB
SHA-256:	D5CDB42BD5E583554B13777A9E4AE6039892E245BDE098ACD2F1496F76CD7FF1
SHA-512:	E45BCD096BC8DC39ACC37124A7A5A020612907BDF08840BE73D857DF33A8D426DC71CAD543B42C4D72FA0BE2D01AFF27280B7E32D24E43BAA2310C93CD447484
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........[.!M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y.-....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.-............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.-..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........{.?......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MEFCKG4WZIHG1ROS00XY.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312172402789167
Encrypted:	false
SSDEEP:	24:y/dfm6Ad+TIUx2dWoM15QLN8zmwsdfm6Ad+swM+bpoqdWoM15QLFX1Rgmwudfm6u:y/d6BUgdwdzjsd6X6Bdwbjud6XadwJ1
MD5:	EEB18BEDDBCF340912FB39A73A6BFA06
SHA1:	2C5CEA9DC0AD20EC02320FB4AC5B556AEE96E7EB
SHA-256:	D5CDB42BD5E583554B13777A9E4AE6039892E245BDE098ACD2F1496F76CD7FF1
SHA-512:	E45BCD096BC8DC39ACC37124A7A5A020612907BDF08840BE73D857DF33A8D426DC71CAD543B42C4D72FA0BE2D01AFF27280B7E32D24E43BAA2310C93CD447484
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........[.!M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y.-....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.-............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.-..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........{.?......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MWAFZQWL37PFK0KKM0F2.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312172402789167
Encrypted:	false
SSDEEP:	24:y/dfm6Ad+TIUx2dWoM15QLN8zmwsdfm6Ad+swM+bpoqdWoM15QLFX1Rgmwudfm6u:y/d6BUgdwdzjsd6X6Bdwbjud6XadwJ1
MD5:	EEB18BEDDBCF340912FB39A73A6BFA06
SHA1:	2C5CEA9DC0AD20EC02320FB4AC5B556AEE96E7EB
SHA-256:	D5CDB42BD5E583554B13777A9E4AE6039892E245BDE098ACD2F1496F76CD7FF1
SHA-512:	E45BCD096BC8DC39ACC37124A7A5A020612907BDF08840BE73D857DF33A8D426DC71CAD543B42C4D72FA0BE2D01AFF27280B7E32D24E43BAA2310C93CD447484
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........[.!M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y.-....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.-............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.-..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........{.?......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929963306528067
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL6aX8P:8S+OBIUjOdwiOdYVjjwL6C8P
MD5:	156EBB3B44BE73C593C98D3CEA7F2C5A
SHA1:	645EA7BFC4E87E42DFF435DFD4F8A85A42B37198
SHA-256:	E41D49D7A11DB3CB980A094124E1ECB07B77FB6B8FA075F6FD5DEF8FDE79C87C
SHA-512:	E131640E6D183BC75BB355E0E254D89403ABCB5CDA50D539B39F67F9F7C0674686344644FA4C08D821939AD2B6A8677FDB8E75253DE11E3846E20CDC68E4A8EB
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929963306528067
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL6aX8P:8S+OBIUjOdwiOdYVjjwL6C8P
MD5:	156EBB3B44BE73C593C98D3CEA7F2C5A
SHA1:	645EA7BFC4E87E42DFF435DFD4F8A85A42B37198
SHA-256:	E41D49D7A11DB3CB980A094124E1ECB07B77FB6B8FA075F6FD5DEF8FDE79C87C
SHA-512:	E131640E6D183BC75BB355E0E254D89403ABCB5CDA50D539B39F67F9F7C0674686344644FA4C08D821939AD2B6A8677FDB8E75253DE11E3846E20CDC68E4A8EB
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733666067446506
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	96E833F6277691AC8462E50954554951
SHA1:	EC5B67DFBDA2BD03D80A2E85431DF0FB9BBCE766
SHA-256:	5EAF88180FAE44AA7E69FBEBAFAA55EF502383F64F74452996B678752C8B7710
SHA-512:	824415D4F2DA6C97FA9572DA9ABBF336ACB6B91A402044583CC9D08A718962DFFC3ACE8B0476D826795EEFE7E58AF4AE2BFEF86D896F14269EFDB6E1ED23FB6A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039498591375498646
Encrypted:	false
SSDEEP:	3:GHlhV+v3NeGvCbJNOXlhV+v3NeGvCbJNOSol8a9//Ylll4llqlyllel4lt:G7V+v3TvCtWV+v3TvCtmL9XIwlio
MD5:	8FF1E35D27A8482A85335AFB44753689
SHA1:	B040E46AB53EFFED4DE644DD95CF2047F41D6D30
SHA-256:	A35B9A4BAF09450FD4021435D8012178DCA879730EE000680A871F2C191EF855
SHA-512:	63950D4267126F10B085E9CB53D46518E8D717E4958DAF0CF830BD8FD864ABF8D9A37B2124A5B1B89B8B8D7E57EA2198105FBB82506EA3BF0F31366C41416AEC
Malicious:	false
Preview:	..-.....................S..g...........i.,h.J...-.....................S..g...........i.,h.J.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11802953558683323
Encrypted:	false
SSDEEP:	24:KpqqQfkwLxsZ+u6jxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsax3wlNVZ2i7+:gJQMEQMJtUnWdU+RVxgNZk
MD5:	BDA6663C1CD6C78B8E9C2C968873B231
SHA1:	C17445B716F9B7D232BD544DF3896221AE3A48AD
SHA-256:	4D50D5E7CA1F396C544D24AA1E0E9C6952CCE63FC3D1500E1DC31B82FD933119
SHA-512:	1C4ACCEF8C553B61DA014D6FD4C3D6AE52C95DEA02DD416FE2987D4AAEA98B09CB9EDCC9E1965BCE0AC57AAD144734CE94367ACD829B037F0FEB1D30B911EC20
Malicious:	false
Preview:	7....-.....................R..................7..g...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495252995953994
Encrypted:	false
SSDEEP:	192:WanaRtLYbBp6Khj4qyaaXd6KR93uNSN5RfGNBw8djSl:+ekqzwqycwo0
MD5:	270D5FFFF5558E85B374A75E24C3D49E
SHA1:	4A42887CEB64F433FAB87041023BF44969D6AA37
SHA-256:	4BDFBD8A5EFB29CC475D5D93C25D9A1580B326AE21A5C499F24FB1901D372E93
SHA-512:	847B03C054BA2FAF179BD0A5C9FE517DEEB176E27E1C5870F7938695271FD884CB76EF8C1663431493E20E206D3A0F3DB72A303F3CEFFA9138FC60D462444B59
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734073351);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734073351);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734073351);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495252995953994
Encrypted:	false
SSDEEP:	192:WanaRtLYbBp6Khj4qyaaXd6KR93uNSN5RfGNBw8djSl:+ekqzwqycwo0
MD5:	270D5FFFF5558E85B374A75E24C3D49E
SHA1:	4A42887CEB64F433FAB87041023BF44969D6AA37
SHA-256:	4BDFBD8A5EFB29CC475D5D93C25D9A1580B326AE21A5C499F24FB1901D372E93
SHA-512:	847B03C054BA2FAF179BD0A5C9FE517DEEB176E27E1C5870F7938695271FD884CB76EF8C1663431493E20E206D3A0F3DB72A303F3CEFFA9138FC60D462444B59
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734073351);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734073351);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734073351);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	6.355199135394202
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSHLXnIg6/pnxQwRls6ZspHVpVGH3j6xiMFatdL7QH2oXpTurfNge4:cpOx2qnRTZYQGxHFaDkpTWNR4
MD5:	E4F71595CEFCF964C7062556E2BCD6CC
SHA1:	1AC39F9503925EE84601FB82E2E17ADB0D07D484
SHA-256:	5D6F4EBB0E0C3DB400BE1117437839654F1309E2E2E5A05EC92E208DEC2C4B62
SHA-512:	0ECD08E2DE9E3CB620E52C591B7F306C34D1D6643D909BEA032DE1881400C0EA5E443001FE984C4582D31D202DC70A88040067789F8C26EB9A1D1F35D0A610B4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5009caf9-2a56-4758-b944-7c412699aff3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734073356772,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...3,"startTim..A2032...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...29622,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	6.355199135394202
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSHLXnIg6/pnxQwRls6ZspHVpVGH3j6xiMFatdL7QH2oXpTurfNge4:cpOx2qnRTZYQGxHFaDkpTWNR4
MD5:	E4F71595CEFCF964C7062556E2BCD6CC
SHA1:	1AC39F9503925EE84601FB82E2E17ADB0D07D484
SHA-256:	5D6F4EBB0E0C3DB400BE1117437839654F1309E2E2E5A05EC92E208DEC2C4B62
SHA-512:	0ECD08E2DE9E3CB620E52C591B7F306C34D1D6643D909BEA032DE1881400C0EA5E443001FE984C4582D31D202DC70A88040067789F8C26EB9A1D1F35D0A610B4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5009caf9-2a56-4758-b944-7c412699aff3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734073356772,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...3,"startTim..A2032...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...29622,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	6.355199135394202
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSHLXnIg6/pnxQwRls6ZspHVpVGH3j6xiMFatdL7QH2oXpTurfNge4:cpOx2qnRTZYQGxHFaDkpTWNR4
MD5:	E4F71595CEFCF964C7062556E2BCD6CC
SHA1:	1AC39F9503925EE84601FB82E2E17ADB0D07D484
SHA-256:	5D6F4EBB0E0C3DB400BE1117437839654F1309E2E2E5A05EC92E208DEC2C4B62
SHA-512:	0ECD08E2DE9E3CB620E52C591B7F306C34D1D6643D909BEA032DE1881400C0EA5E443001FE984C4582D31D202DC70A88040067789F8C26EB9A1D1F35D0A610B4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{5009caf9-2a56-4758-b944-7c412699aff3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734073356772,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...3,"startTim..A2032...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...29622,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032841688682566
Encrypted:	false
SSDEEP:	48:YrSAYOT6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycmyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	1DDF0E001ECAF0C70BDA6DE4E49D3711
SHA1:	5B37DEF10F20AC4BE871A075F51C30EE460120E2
SHA-256:	EC1A96FF9EA2B4C5B7B1E558BDCA1B9211A16DCFA46569B3315344CD7FEC5DB4
SHA-512:	765E75B3D56CEF0F85790A67938F8D061E18D2A7713A397CBF57D321B3CB6F462AB7824A3B1497BA325ECBE5907DEF86B3D454127A7616A8FACBEED2312A407A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T07:02:20.065Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032841688682566
Encrypted:	false
SSDEEP:	48:YrSAYOT6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycmyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	1DDF0E001ECAF0C70BDA6DE4E49D3711
SHA1:	5B37DEF10F20AC4BE871A075F51C30EE460120E2
SHA-256:	EC1A96FF9EA2B4C5B7B1E558BDCA1B9211A16DCFA46569B3315344CD7FEC5DB4
SHA-512:	765E75B3D56CEF0F85790A67938F8D061E18D2A7713A397CBF57D321B3CB6F462AB7824A3B1497BA325ECBE5907DEF86B3D454127A7616A8FACBEED2312A407A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T07:02:20.065Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.70753871481993
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	972'288 bytes
MD5:	e065205fc134566fda736ccc9be37e12
SHA1:	ee67f894363f08641cc5776c221f506f655f3974
SHA256:	d9fa5d9c0c146db63a04997489362a3991095598941556880dbc5a2d22cc6c35
SHA512:	411dbbf6fe7451e6bb92d3666efb53ccbdf84380781ea657d7042b0d5837bd1c704c16f14f3891b242d7fdf36e47fa108ac938531a4c3c2332f8d9f27469a4cd
SSDEEP:	24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8aZGFh:5TvC/MTQYxsWR7aZGF
TLSH:	18259E0273D1C062FFAB92334F5AF6515BBC69260123A61F13A81D7ABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BC499 [Fri Dec 13 05:22:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F330565F293h
jmp 00007F330565EB9Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F330565ED7Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F330565ED4Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F330566193Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3305661988h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3305661971h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16a90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16a90	0x16c00	f93a5fed5a55f5ece9222da2540473f3	False	0.7071171016483516	data	7.199124540720954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xdc12	data			1.0004615002307502
RT_GROUP_ICON	0xea510	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea588	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea59c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea5b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea5c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea6a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 06:40:41.044140100 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:40:41.044270992 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 06:40:41.044661045 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:40:41.049576044 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:40:41.049616098 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 06:40:42.281869888 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 06:40:42.282706976 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:40:42.338566065 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:40:42.338613033 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 06:40:42.338692904 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:40:42.339255095 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 06:40:42.339462042 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:40:43.737790108 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:43.737889051 CET	443	49738	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:43.738697052 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:43.739957094 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:43.739993095 CET	443	49738	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:43.759435892 CET	49739	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:43.759524107 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:43.766391039 CET	49739	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:43.769722939 CET	49739	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:43.769766092 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:43.877053022 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:43.996779919 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:43.998718023 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:43.999053955 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:44.118973017 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:44.387271881 CET	49741	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:44.387295008 CET	443	49741	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:44.387495041 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:44.387501001 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:44.389626980 CET	49741	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:44.389689922 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:44.391041994 CET	49741	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:44.391053915 CET	443	49741	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:44.391201019 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:44.391208887 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:44.545886040 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:44.545898914 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:44.546390057 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:44.547632933 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:44.547643900 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.085932970 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:45.143937111 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.219482899 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:45.219572067 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 06:40:45.219693899 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:45.219840050 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:45.219857931 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 06:40:45.447817087 CET	443	49738	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.447897911 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.448810101 CET	443	49738	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.448868990 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.452299118 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.452308893 CET	443	49738	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.452373981 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.452573061 CET	443	49738	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.460392952 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.460438013 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.461867094 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.466886997 CET	49738	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.467021942 CET	49739	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.467087030 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.473623037 CET	49739	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.473707914 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.473742008 CET	49739	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.473956108 CET	443	49739	142.250.181.78	192.168.2.4
Dec 13, 2024 06:40:45.474013090 CET	49739	443	192.168.2.4	142.250.181.78
Dec 13, 2024 06:40:45.501797915 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.612776995 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:45.612854004 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:45.615672112 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:45.615677118 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:45.616079092 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:45.618042946 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:45.618117094 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:45.618220091 CET	443	49742	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:45.618345022 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:45.618364096 CET	49742	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:45.621309996 CET	443	49741	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.621561050 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:45.622176886 CET	49741	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.622205973 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.624078989 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.625775099 CET	49741	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.625780106 CET	443	49741	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.625857115 CET	49741	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.626029015 CET	443	49741	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.626161098 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.626257896 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.629647017 CET	49741	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.629683971 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.631045103 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.631081104 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.674056053 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.743762970 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:45.759491920 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.781081915 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.781148911 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.785156012 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.785159111 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.785329103 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.785404921 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.785494089 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.840089083 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:45.845902920 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.879558086 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:45.879641056 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.879781961 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:45.885585070 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.885670900 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:45.891788006 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.893032074 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:45.893055916 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:46.005059004 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:46.446497917 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 06:40:46.446579933 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:46.449120045 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:46.449147940 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 06:40:46.449563980 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 06:40:46.451559067 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:46.451639891 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:46.451750040 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 06:40:46.451839924 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 06:40:46.789401054 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:46.789767027 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:46.909733057 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:46.915245056 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:46.944140911 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:46.944238901 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:46.947582006 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:46.947611094 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:46.947659016 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:46.947880983 CET	443	49747	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:46.948060036 CET	49747	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:46.967037916 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:47.018002033 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:47.112416029 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:47.122248888 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:47.158329010 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:47.158329010 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:47.158416033 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:47.158663988 CET	443	49749	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:47.158844948 CET	49751	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:47.158932924 CET	443	49751	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:47.161941051 CET	49749	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:47.161942005 CET	49751	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:47.171237946 CET	49751	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:47.171288013 CET	443	49751	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:48.402066946 CET	443	49751	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:48.402282000 CET	49751	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:48.406900883 CET	49751	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:48.406900883 CET	49751	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:48.406960011 CET	443	49751	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:48.407247066 CET	443	49751	34.117.188.166	192.168.2.4
Dec 13, 2024 06:40:48.407419920 CET	49751	443	192.168.2.4	34.117.188.166
Dec 13, 2024 06:40:48.798201084 CET	49752	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:48.800260067 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:48.918174982 CET	80	49752	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:48.918387890 CET	49752	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:48.918387890 CET	49752	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:48.920104027 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:49.038358927 CET	80	49752	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:49.115573883 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:49.170341969 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:49.982322931 CET	49752	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:49.989326000 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:50.012006998 CET	80	49752	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:50.015098095 CET	49752	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:50.102690935 CET	80	49752	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:50.104449987 CET	49752	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:50.109433889 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:50.115336895 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:50.115561008 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:50.121872902 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:50.121978045 CET	443	49755	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:50.122771025 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:50.122889996 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:50.122912884 CET	443	49755	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:50.139352083 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:50.139434099 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:50.139616966 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:50.140850067 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:50.140883923 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:50.160295010 CET	49757	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:50.160379887 CET	443	49757	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:50.160463095 CET	49757	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:50.161849976 CET	49757	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:50.161931992 CET	443	49757	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:50.235786915 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:51.201539993 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:51.243103027 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:51.342794895 CET	443	49755	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:51.342896938 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:51.345448971 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:51.345478058 CET	443	49755	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:51.345834970 CET	443	49755	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:51.347862959 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:51.347934008 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:51.348031998 CET	443	49755	35.244.181.201	192.168.2.4
Dec 13, 2024 06:40:51.348114014 CET	49755	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:40:51.369297028 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:51.369371891 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:51.373400927 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:51.373414993 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:51.373477936 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:51.373774052 CET	443	49756	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:51.373856068 CET	49756	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:51.394678116 CET	443	49757	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:51.394870043 CET	49757	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:51.398657084 CET	49757	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:51.398657084 CET	49757	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:51.398715973 CET	443	49757	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:51.398983002 CET	443	49757	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:51.399280071 CET	49757	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:52.345217943 CET	49759	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:52.345304966 CET	443	49759	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:52.345428944 CET	49759	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:52.346828938 CET	49759	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:52.346913099 CET	443	49759	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:53.569700956 CET	443	49759	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:53.570604086 CET	49759	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:54.495383024 CET	49759	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:54.495383978 CET	49759	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:54.495465994 CET	443	49759	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:54.495974064 CET	443	49759	34.149.100.209	192.168.2.4
Dec 13, 2024 06:40:54.496805906 CET	49759	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:40:54.564199924 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:54.564706087 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:54.564785957 CET	443	49762	34.107.243.93	192.168.2.4
Dec 13, 2024 06:40:54.566699982 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:54.568165064 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:54.568187952 CET	443	49762	34.107.243.93	192.168.2.4
Dec 13, 2024 06:40:54.580425024 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:54.580461025 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:54.581655979 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:54.581784964 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:54.581800938 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:54.684475899 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:54.879300117 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:54.922162056 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:55.121838093 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.121937037 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:55.122755051 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.124010086 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.124051094 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:55.126698971 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.126785994 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:55.137064934 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.137192011 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.137228966 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:55.535068989 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:55.655211926 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:55.792002916 CET	443	49762	34.107.243.93	192.168.2.4
Dec 13, 2024 06:40:55.796205044 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:55.803349018 CET	443	49762	34.107.243.93	192.168.2.4
Dec 13, 2024 06:40:55.809161901 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:55.809242964 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.824780941 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:55.830338001 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.830374002 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:55.831186056 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:55.832659960 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:55.832670927 CET	443	49762	34.107.243.93	192.168.2.4
Dec 13, 2024 06:40:55.832730055 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:55.832818985 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.832865953 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.832973003 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:55.833302975 CET	443	49762	34.107.243.93	192.168.2.4
Dec 13, 2024 06:40:55.833507061 CET	49762	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:40:55.850663900 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:55.909507990 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:56.337412119 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.337627888 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.353034019 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.353055000 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.354125023 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.356298923 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.356353998 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.356713057 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.410912037 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.416779995 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.416867971 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.416906118 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.417036057 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.417036057 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.417171001 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.417248964 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:56.417455912 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:56.417617083 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:58.602829933 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:58.607968092 CET	49768	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:58.608045101 CET	443	49768	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:58.609009981 CET	49768	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:58.610217094 CET	49768	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:40:58.610259056 CET	443	49768	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:58.723073959 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:58.918880939 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:58.964911938 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:59.236500025 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:59.357017040 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:59.551768064 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:40:59.620079994 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:40:59.829646111 CET	443	49768	34.120.208.123	192.168.2.4
Dec 13, 2024 06:40:59.829875946 CET	49768	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:00.649854898 CET	49768	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:00.649939060 CET	443	49768	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:00.649974108 CET	49768	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:00.650640011 CET	443	49768	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:00.653409004 CET	49768	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:00.668759108 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:00.788775921 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:00.984339952 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:00.992053986 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:01.039902925 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:01.111942053 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:01.307128906 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:01.356292009 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:03.699683905 CET	49770	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:03.699743032 CET	443	49770	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:03.700261116 CET	49770	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:03.701488972 CET	49770	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:03.701507092 CET	443	49770	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:04.921336889 CET	443	49770	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:04.921412945 CET	49770	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:04.926067114 CET	49770	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:04.926076889 CET	443	49770	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:04.926151037 CET	49770	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:04.926335096 CET	443	49770	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:04.926378012 CET	49770	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:04.929367065 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:05.049190998 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:05.274350882 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:05.277132988 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:05.336353064 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:05.397339106 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:05.592806101 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:05.637218952 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:09.752901077 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:09.752996922 CET	443	49771	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:09.753498077 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:09.753568888 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:09.753587008 CET	443	49771	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:09.755098104 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:09.755132914 CET	443	49772	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:09.755593061 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:09.755677938 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:09.755683899 CET	443	49772	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:09.760251045 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:41:09.760258913 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 06:41:09.762514114 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:41:09.764058113 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:41:09.764066935 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 06:41:09.892008066 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:09.892103910 CET	443	49774	151.101.129.91	192.168.2.4
Dec 13, 2024 06:41:09.895632982 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:09.896454096 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:09.896497011 CET	443	49774	151.101.129.91	192.168.2.4
Dec 13, 2024 06:41:09.900597095 CET	49775	443	192.168.2.4	35.201.103.21
Dec 13, 2024 06:41:09.900671959 CET	443	49775	35.201.103.21	192.168.2.4
Dec 13, 2024 06:41:09.901129007 CET	49775	443	192.168.2.4	35.201.103.21
Dec 13, 2024 06:41:09.902468920 CET	49775	443	192.168.2.4	35.201.103.21
Dec 13, 2024 06:41:09.902499914 CET	443	49775	35.201.103.21	192.168.2.4
Dec 13, 2024 06:41:10.972758055 CET	443	49771	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:10.972908020 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:10.974263906 CET	443	49772	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:10.974447966 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:10.976254940 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:10.976285934 CET	443	49771	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:10.976643085 CET	443	49771	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:10.978671074 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:10.978684902 CET	443	49772	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:10.979027987 CET	443	49772	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:10.981605053 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:10.981796980 CET	443	49771	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:10.981841087 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:10.981862068 CET	443	49771	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:10.982242107 CET	49771	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:10.982433081 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:10.982511997 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:10.982625008 CET	443	49772	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:10.984812975 CET	49772	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:10.986563921 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:10.988810062 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 06:41:10.988903999 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:41:10.993051052 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:41:10.993069887 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 06:41:10.993172884 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:41:10.993652105 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 06:41:10.993932962 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 06:41:11.120781898 CET	443	49774	151.101.129.91	192.168.2.4
Dec 13, 2024 06:41:11.120877028 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:11.121604919 CET	443	49775	35.201.103.21	192.168.2.4
Dec 13, 2024 06:41:11.124685049 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:11.124713898 CET	443	49774	151.101.129.91	192.168.2.4
Dec 13, 2024 06:41:11.125129938 CET	443	49774	151.101.129.91	192.168.2.4
Dec 13, 2024 06:41:11.125143051 CET	49775	443	192.168.2.4	35.201.103.21
Dec 13, 2024 06:41:11.129513025 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:11.129627943 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:11.129712105 CET	443	49774	151.101.129.91	192.168.2.4
Dec 13, 2024 06:41:11.130692005 CET	49774	443	192.168.2.4	151.101.129.91
Dec 13, 2024 06:41:11.131248951 CET	49775	443	192.168.2.4	35.201.103.21
Dec 13, 2024 06:41:11.131261110 CET	443	49775	35.201.103.21	192.168.2.4
Dec 13, 2024 06:41:11.131306887 CET	49775	443	192.168.2.4	35.201.103.21
Dec 13, 2024 06:41:11.131529093 CET	443	49775	35.201.103.21	192.168.2.4
Dec 13, 2024 06:41:11.139334917 CET	49775	443	192.168.2.4	35.201.103.21
Dec 13, 2024 06:41:11.139945030 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.139976978 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:11.140600920 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.140846014 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.140860081 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:11.142626047 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.142716885 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:11.143418074 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.143570900 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.143608093 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:11.146199942 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.146223068 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:11.146410942 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.146508932 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:11.146519899 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:11.157617092 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:11.157707930 CET	443	49779	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:11.157850027 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:11.157978058 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:11.158014059 CET	443	49779	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:11.204687119 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:11.400011063 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:11.403191090 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:11.454013109 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:11.523444891 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:11.718560934 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:11.770363092 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:12.384413004 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.384515047 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.388346910 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.388382912 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.388725042 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.389488935 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.390734911 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.393322945 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.393708944 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.393739939 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.393742085 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.393918037 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.393920898 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.394134998 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.394146919 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.394759893 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.397305965 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.397311926 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.397614956 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.398008108 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:12.401787043 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.401828051 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.402183056 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.402271986 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.402306080 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.402420998 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.403477907 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.403490067 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.410958052 CET	443	49779	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:12.411221027 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:12.413501978 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:12.413513899 CET	443	49779	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:12.414172888 CET	443	49779	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:12.415771008 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:12.415843010 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:12.415920973 CET	443	49779	34.149.100.209	192.168.2.4
Dec 13, 2024 06:41:12.416688919 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:12.416707993 CET	49779	443	192.168.2.4	34.149.100.209
Dec 13, 2024 06:41:12.599411011 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 06:41:12.599917889 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 06:41:12.618809938 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:12.814883947 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:12.819550037 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:12.858020067 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:12.940145016 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:13.148221016 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:13.189455986 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:14.947149992 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:14.947182894 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:14.947416067 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:14.949400902 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:14.949424028 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:16.180350065 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:16.180424929 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:16.184735060 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:16.184766054 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:16.184814930 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:16.184987068 CET	443	49781	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:16.185077906 CET	49781	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:16.187741995 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:16.307632923 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:16.502855062 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:16.507170916 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:16.545798063 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:16.805552006 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:17.000623941 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:17.047394991 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:26.510443926 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:26.630358934 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:27.011852026 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:27.132317066 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:34.985250950 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:35.105458975 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:35.300784111 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:35.304718018 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:35.349486113 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:35.425076962 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:35.619810104 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:35.681658030 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:36.826721907 CET	49801	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:36.826769114 CET	443	49801	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:36.837913990 CET	49801	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:36.839914083 CET	49801	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:36.839932919 CET	443	49801	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:38.052853107 CET	443	49801	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:38.052887917 CET	443	49801	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:38.052934885 CET	49801	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:38.056466103 CET	49801	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:38.056487083 CET	443	49801	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:38.056571007 CET	49801	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:38.056658030 CET	443	49801	34.107.243.93	192.168.2.4
Dec 13, 2024 06:41:38.057286978 CET	49801	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:41:38.058929920 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:38.178864956 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:38.374603033 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:38.377486944 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:38.426897049 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:38.497354984 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:38.693069935 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:38.743355036 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:39.938630104 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.938683033 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:39.938760042 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.938865900 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.938868046 CET	443	49812	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:39.938890934 CET	443	49813	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:39.939321041 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.939430952 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.939430952 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.939438105 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.939441919 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:39.939543009 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.939558983 CET	443	49813	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:39.939626932 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:39.939661980 CET	443	49812	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.154553890 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.154625893 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.155899048 CET	443	49813	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.156002998 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.157545090 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.157552958 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.157879114 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.159687996 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.159719944 CET	443	49813	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.160049915 CET	443	49813	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.161485910 CET	443	49812	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.161595106 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.163620949 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.163649082 CET	443	49812	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.164117098 CET	443	49812	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.165057898 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.165148973 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.165229082 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.165380955 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.165448904 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.165664911 CET	443	49813	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.165705919 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.165834904 CET	49813	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.167434931 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.167495012 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.167779922 CET	443	49812	34.120.208.123	192.168.2.4
Dec 13, 2024 06:41:41.169352055 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:41.170109034 CET	49812	443	192.168.2.4	34.120.208.123
Dec 13, 2024 06:41:41.289119005 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:41.484693050 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:41.488723040 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:41.535265923 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:41.609015942 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:41.809047937 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:41.852092981 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:51.495611906 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:51.615613937 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:41:51.812177896 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:41:51.932424068 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:01.624083042 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:01.744165897 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:01.940563917 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:02.060441017 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:11.751367092 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:11.871457100 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:12.068053007 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:12.188570023 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:18.190996885 CET	49900	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:42:18.191083908 CET	443	49900	34.107.243.93	192.168.2.4
Dec 13, 2024 06:42:18.191198111 CET	49900	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:42:18.193423033 CET	49900	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:42:18.193507910 CET	443	49900	34.107.243.93	192.168.2.4
Dec 13, 2024 06:42:19.412528992 CET	443	49900	34.107.243.93	192.168.2.4
Dec 13, 2024 06:42:19.412975073 CET	49900	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:42:19.420006037 CET	49900	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:42:19.420006037 CET	49900	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:42:19.420092106 CET	443	49900	34.107.243.93	192.168.2.4
Dec 13, 2024 06:42:19.420322895 CET	443	49900	34.107.243.93	192.168.2.4
Dec 13, 2024 06:42:19.420731068 CET	49900	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:42:19.424077034 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:19.543937922 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:19.739269972 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:19.743110895 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:19.790326118 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:19.863163948 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:20.058336020 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:20.106996059 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:29.749828100 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:29.869832039 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:30.072771072 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:30.193068027 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:39.879767895 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:39.999926090 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:40.202689886 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:40.322782040 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:50.003374100 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:50.123845100 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:42:50.342086077 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:42:50.462347984 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:00.133147955 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:00.252938032 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:00.471911907 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:00.591856003 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:10.262263060 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:10.381921053 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:10.600939035 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:10.720679045 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:20.390747070 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:20.511034966 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:20.729406118 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:20.849137068 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:30.519282103 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:30.639004946 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:30.857976913 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:30.977632046 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:39.816198111 CET	50054	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:43:39.816277027 CET	443	50054	34.107.243.93	192.168.2.4
Dec 13, 2024 06:43:39.816375971 CET	50054	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:43:39.821605921 CET	50054	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:43:39.821636915 CET	443	50054	34.107.243.93	192.168.2.4
Dec 13, 2024 06:43:40.644937038 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:40.764666080 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:40.992675066 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:41.032010078 CET	443	50054	34.107.243.93	192.168.2.4
Dec 13, 2024 06:43:41.037008047 CET	50054	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:43:41.041806936 CET	50054	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:43:41.041841030 CET	443	50054	34.107.243.93	192.168.2.4
Dec 13, 2024 06:43:41.041928053 CET	50054	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:43:41.042016029 CET	443	50054	34.107.243.93	192.168.2.4
Dec 13, 2024 06:43:41.042112112 CET	50054	443	192.168.2.4	34.107.243.93
Dec 13, 2024 06:43:41.044131994 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:41.112741947 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:41.164146900 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:41.164309978 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:41.183554888 CET	50055	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:41.303539038 CET	80	50055	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:41.303623915 CET	50055	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:41.303767920 CET	50055	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:41.423690081 CET	80	50055	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:42.392540932 CET	80	50055	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:42.395493984 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:42.395755053 CET	50056	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:42.434335947 CET	50055	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:42.515675068 CET	80	50056	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:42.515739918 CET	80	49754	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:42.515764952 CET	50056	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:42.515846014 CET	49754	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:42.515911102 CET	50056	80	192.168.2.4	34.107.221.82
Dec 13, 2024 06:43:42.635756969 CET	80	50056	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:43.602731943 CET	80	50056	34.107.221.82	192.168.2.4
Dec 13, 2024 06:43:43.653429031 CET	50056	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 06:40:41.044701099 CET	51074	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:41.182703972 CET	53	51074	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:41.183269024 CET	51572	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:41.512095928 CET	53	51572	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:43.598165035 CET	62909	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:43.736423016 CET	53	62909	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:43.737148046 CET	62898	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:43.740711927 CET	64327	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:43.877439976 CET	63121	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:43.877933979 CET	53	64327	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:43.878400087 CET	63823	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.015290976 CET	53	63121	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.015883923 CET	53	63823	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.018426895 CET	56093	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.110281944 CET	54860	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.156213045 CET	53	56093	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.248306036 CET	53	54860	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.387753010 CET	57421	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.388014078 CET	62653	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.407557964 CET	59991	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.524974108 CET	53	57421	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.525422096 CET	53	62653	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.528924942 CET	49621	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.529184103 CET	64859	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.544441938 CET	53	59991	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.546412945 CET	52864	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.666325092 CET	53	49621	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.667031050 CET	53	64859	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.684976101 CET	53	52864	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.690700054 CET	59435	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:44.829247952 CET	53	59435	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:44.851923943 CET	59251	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:45.217401028 CET	53	59251	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:45.219679117 CET	55828	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:45.314156055 CET	49154	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:45.358041048 CET	53	55828	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:45.359605074 CET	63182	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:45.360991001 CET	59153	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:45.364964008 CET	65087	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:45.451637030 CET	53	49154	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:45.497342110 CET	53	63182	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:45.502003908 CET	53	65087	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:48.791887045 CET	62485	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:48.796247959 CET	52399	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:48.930340052 CET	53	62485	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:48.931032896 CET	51849	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:49.068557024 CET	53	51849	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:49.069279909 CET	54986	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:49.207262993 CET	53	54986	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:49.294892073 CET	53	52182	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:49.984417915 CET	49689	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.006402969 CET	57009	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.014369965 CET	57524	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.121690989 CET	53	49689	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.139560938 CET	52293	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.145214081 CET	53	57009	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.151918888 CET	53	57524	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.152076960 CET	57679	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.160335064 CET	61919	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.276696920 CET	53	52293	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.277173042 CET	58532	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.289414883 CET	53	57679	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.289897919 CET	50129	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.298621893 CET	53	61919	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.299153090 CET	57414	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:50.415021896 CET	53	58532	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.429702997 CET	53	50129	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:50.436912060 CET	53	57414	1.1.1.1	192.168.2.4
Dec 13, 2024 06:40:55.138144970 CET	61082	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:40:55.275711060 CET	53	61082	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:00.668622971 CET	56000	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:02.908055067 CET	60502	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:02.908166885 CET	65419	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:02.908292055 CET	52490	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.045430899 CET	53	60502	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.046216011 CET	53	52490	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.046344042 CET	52545	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.046885014 CET	52087	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.050674915 CET	53	65419	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.051203012 CET	63626	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.183773041 CET	53	52545	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.184272051 CET	54852	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.187411070 CET	53	52087	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.187823057 CET	61311	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.190221071 CET	53	63626	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.190615892 CET	56769	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.324053049 CET	53	54852	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.326900005 CET	53	61311	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.327608109 CET	59097	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.327608109 CET	56090	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.328535080 CET	53	56769	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.465082884 CET	53	59097	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.465681076 CET	52776	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.548849106 CET	53	56090	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.549447060 CET	57945	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.604463100 CET	53	52776	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.604899883 CET	60133	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.687381983 CET	53	57945	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.687971115 CET	49446	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.700126886 CET	57196	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:03.742369890 CET	53	60133	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.838350058 CET	53	57196	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:03.908714056 CET	53	49446	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:09.752063036 CET	50259	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:09.752895117 CET	58942	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:09.762523890 CET	60856	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:09.891104937 CET	53	50259	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:09.892436028 CET	55921	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:09.899842024 CET	53	60856	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:09.990685940 CET	53	58942	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:09.993434906 CET	57809	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:09.993434906 CET	53346	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:10.030436993 CET	53	55921	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:10.030925989 CET	60623	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:10.131650925 CET	53	57809	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:10.132184982 CET	53	53346	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:10.133511066 CET	60134	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:10.170118093 CET	53	60623	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:10.270878077 CET	53	60134	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:14.946480989 CET	52052	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:15.085427046 CET	53	52052	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:15.086807013 CET	59509	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:15.224194050 CET	53	59509	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:34.985666037 CET	55783	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:35.378684044 CET	55409	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:35.518897057 CET	53	55409	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:36.686297894 CET	59606	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:36.823697090 CET	53	59606	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:36.827398062 CET	52947	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:36.969458103 CET	53	52947	1.1.1.1	192.168.2.4
Dec 13, 2024 06:41:39.938050032 CET	51537	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:41:40.075095892 CET	53	51537	1.1.1.1	192.168.2.4
Dec 13, 2024 06:42:18.190455914 CET	57606	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:42:18.327924967 CET	53	57606	1.1.1.1	192.168.2.4
Dec 13, 2024 06:43:39.529288054 CET	50222	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:43:39.666868925 CET	53	50222	1.1.1.1	192.168.2.4
Dec 13, 2024 06:43:39.674573898 CET	60458	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:43:39.813407898 CET	53	60458	1.1.1.1	192.168.2.4
Dec 13, 2024 06:43:39.815004110 CET	62646	53	192.168.2.4	1.1.1.1
Dec 13, 2024 06:43:39.952131987 CET	53	62646	1.1.1.1	192.168.2.4
Dec 13, 2024 06:43:41.044269085 CET	52872	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 06:40:41.044701099 CET	192.168.2.4	1.1.1.1	0xa236	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:41.183269024 CET	192.168.2.4	1.1.1.1	0x47fc	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:43.598165035 CET	192.168.2.4	1.1.1.1	0xf220	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:43.737148046 CET	192.168.2.4	1.1.1.1	0xb27f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:43.740711927 CET	192.168.2.4	1.1.1.1	0x5b28	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:43.877439976 CET	192.168.2.4	1.1.1.1	0x4b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:43.878400087 CET	192.168.2.4	1.1.1.1	0x8224	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 06:40:44.018426895 CET	192.168.2.4	1.1.1.1	0x3ad	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:44.110281944 CET	192.168.2.4	1.1.1.1	0x117f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.387753010 CET	192.168.2.4	1.1.1.1	0x5b97	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.388014078 CET	192.168.2.4	1.1.1.1	0xf181	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.407557964 CET	192.168.2.4	1.1.1.1	0x61d	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.528924942 CET	192.168.2.4	1.1.1.1	0x166c	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:40:44.529184103 CET	192.168.2.4	1.1.1.1	0x3339	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:44.546412945 CET	192.168.2.4	1.1.1.1	0x94a8	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.690700054 CET	192.168.2.4	1.1.1.1	0x345c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:44.851923943 CET	192.168.2.4	1.1.1.1	0x7d0c	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.219679117 CET	192.168.2.4	1.1.1.1	0xbbc4	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.314156055 CET	192.168.2.4	1.1.1.1	0xfe5	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.359605074 CET	192.168.2.4	1.1.1.1	0xe7c2	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.360991001 CET	192.168.2.4	1.1.1.1	0x2033	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.364964008 CET	192.168.2.4	1.1.1.1	0x4ac2	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:48.791887045 CET	192.168.2.4	1.1.1.1	0x7e0b	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:48.796247959 CET	192.168.2.4	1.1.1.1	0x1034	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:48.931032896 CET	192.168.2.4	1.1.1.1	0xa4b8	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:49.069279909 CET	192.168.2.4	1.1.1.1	0xa9d0	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:49.984417915 CET	192.168.2.4	1.1.1.1	0x792	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:50.006402969 CET	192.168.2.4	1.1.1.1	0x6e49	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.014369965 CET	192.168.2.4	1.1.1.1	0x9ca1	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.139560938 CET	192.168.2.4	1.1.1.1	0xd5c8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.152076960 CET	192.168.2.4	1.1.1.1	0xe5cf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.160335064 CET	192.168.2.4	1.1.1.1	0x5d6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.277173042 CET	192.168.2.4	1.1.1.1	0x8a53	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:40:50.289897919 CET	192.168.2.4	1.1.1.1	0xb14f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:40:50.299153090 CET	192.168.2.4	1.1.1.1	0x3048	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:40:55.138144970 CET	192.168.2.4	1.1.1.1	0x47fc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:00.668622971 CET	192.168.2.4	1.1.1.1	0x6a42	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:02.908055067 CET	192.168.2.4	1.1.1.1	0x80f0	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:02.908166885 CET	192.168.2.4	1.1.1.1	0x8a26	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:02.908292055 CET	192.168.2.4	1.1.1.1	0x55bd	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.046344042 CET	192.168.2.4	1.1.1.1	0x1d65	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.046885014 CET	192.168.2.4	1.1.1.1	0x6890	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.051203012 CET	192.168.2.4	1.1.1.1	0xe433	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.184272051 CET	192.168.2.4	1.1.1.1	0x7eaf	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:03.187823057 CET	192.168.2.4	1.1.1.1	0x19ff	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 06:41:03.190615892 CET	192.168.2.4	1.1.1.1	0x43e4	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:03.327608109 CET	192.168.2.4	1.1.1.1	0x14b7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.327608109 CET	192.168.2.4	1.1.1.1	0x2139	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.465681076 CET	192.168.2.4	1.1.1.1	0xf89a	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.549447060 CET	192.168.2.4	1.1.1.1	0xf6e2	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.604899883 CET	192.168.2.4	1.1.1.1	0x6fa9	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:03.687971115 CET	192.168.2.4	1.1.1.1	0x4aff	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 06:41:03.700126886 CET	192.168.2.4	1.1.1.1	0x1a45	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:09.752063036 CET	192.168.2.4	1.1.1.1	0x4aa9	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.752895117 CET	192.168.2.4	1.1.1.1	0xb0d1	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.762523890 CET	192.168.2.4	1.1.1.1	0xd7e4	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.892436028 CET	192.168.2.4	1.1.1.1	0xca13	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.993434906 CET	192.168.2.4	1.1.1.1	0x7611	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:41:09.993434906 CET	192.168.2.4	1.1.1.1	0x2064	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:10.030925989 CET	192.168.2.4	1.1.1.1	0xbf30	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 06:41:10.133511066 CET	192.168.2.4	1.1.1.1	0x2c7c	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:14.946480989 CET	192.168.2.4	1.1.1.1	0x7316	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:15.086807013 CET	192.168.2.4	1.1.1.1	0x38c4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:34.985666037 CET	192.168.2.4	1.1.1.1	0x278d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:35.378684044 CET	192.168.2.4	1.1.1.1	0xae81	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 06:41:36.686297894 CET	192.168.2.4	1.1.1.1	0xe052	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:36.827398062 CET	192.168.2.4	1.1.1.1	0xb88a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:41:39.938050032 CET	192.168.2.4	1.1.1.1	0x8172	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:42:18.190455914 CET	192.168.2.4	1.1.1.1	0x2184	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:43:39.529288054 CET	192.168.2.4	1.1.1.1	0x5f2f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:43:39.674573898 CET	192.168.2.4	1.1.1.1	0x84e5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:43:39.815004110 CET	192.168.2.4	1.1.1.1	0xb4ed	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 06:43:41.044269085 CET	192.168.2.4	1.1.1.1	0x10fc	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 06:40:41.041906118 CET	1.1.1.1	192.168.2.4	0x821b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:41.182703972 CET	1.1.1.1	192.168.2.4	0xa236	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:43.736423016 CET	1.1.1.1	192.168.2.4	0xf220	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:43.874385118 CET	1.1.1.1	192.168.2.4	0xb27f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:43.874385118 CET	1.1.1.1	192.168.2.4	0xb27f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:43.877933979 CET	1.1.1.1	192.168.2.4	0x5b28	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.015290976 CET	1.1.1.1	192.168.2.4	0x4b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.015883923 CET	1.1.1.1	192.168.2.4	0x8224	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 06:40:44.156213045 CET	1.1.1.1	192.168.2.4	0x3ad	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 06:40:44.248306036 CET	1.1.1.1	192.168.2.4	0x117f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.249794960 CET	1.1.1.1	192.168.2.4	0xdbf7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:44.249794960 CET	1.1.1.1	192.168.2.4	0xdbf7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.524974108 CET	1.1.1.1	192.168.2.4	0x5b97	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.525422096 CET	1.1.1.1	192.168.2.4	0xf181	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.544441938 CET	1.1.1.1	192.168.2.4	0x61d	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:44.544441938 CET	1.1.1.1	192.168.2.4	0x61d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:44.684976101 CET	1.1.1.1	192.168.2.4	0x94a8	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.217401028 CET	1.1.1.1	192.168.2.4	0x7d0c	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:45.217401028 CET	1.1.1.1	192.168.2.4	0x7d0c	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:45.217401028 CET	1.1.1.1	192.168.2.4	0x7d0c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.358041048 CET	1.1.1.1	192.168.2.4	0xbbc4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.451637030 CET	1.1.1.1	192.168.2.4	0xfe5	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.497342110 CET	1.1.1.1	192.168.2.4	0xe7c2	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.497342110 CET	1.1.1.1	192.168.2.4	0xe7c2	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.498266935 CET	1.1.1.1	192.168.2.4	0x2033	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:45.498266935 CET	1.1.1.1	192.168.2.4	0x2033	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:45.502003908 CET	1.1.1.1	192.168.2.4	0x4ac2	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 06:40:48.930340052 CET	1.1.1.1	192.168.2.4	0x7e0b	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:48.930340052 CET	1.1.1.1	192.168.2.4	0x7e0b	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:48.930340052 CET	1.1.1.1	192.168.2.4	0x7e0b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:49.017076969 CET	1.1.1.1	192.168.2.4	0x1034	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:49.068557024 CET	1.1.1.1	192.168.2.4	0xa4b8	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.121015072 CET	1.1.1.1	192.168.2.4	0xec62	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:50.121015072 CET	1.1.1.1	192.168.2.4	0xec62	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.125001907 CET	1.1.1.1	192.168.2.4	0x2666	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.145214081 CET	1.1.1.1	192.168.2.4	0x6e49	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.151918888 CET	1.1.1.1	192.168.2.4	0x9ca1	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:40:50.151918888 CET	1.1.1.1	192.168.2.4	0x9ca1	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.276696920 CET	1.1.1.1	192.168.2.4	0xd5c8	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.289414883 CET	1.1.1.1	192.168.2.4	0xe5cf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:50.298621893 CET	1.1.1.1	192.168.2.4	0x5d6	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:40:54.702786922 CET	1.1.1.1	192.168.2.4	0xee17	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:00.807425022 CET	1.1.1.1	192.168.2.4	0x6a42	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:00.807425022 CET	1.1.1.1	192.168.2.4	0x6a42	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.045430899 CET	1.1.1.1	192.168.2.4	0x80f0	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.046216011 CET	1.1.1.1	192.168.2.4	0x55bd	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:03.046216011 CET	1.1.1.1	192.168.2.4	0x55bd	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.050674915 CET	1.1.1.1	192.168.2.4	0x8a26	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:03.050674915 CET	1.1.1.1	192.168.2.4	0x8a26	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.183773041 CET	1.1.1.1	192.168.2.4	0x1d65	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.187411070 CET	1.1.1.1	192.168.2.4	0x6890	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.190221071 CET	1.1.1.1	192.168.2.4	0xe433	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.324053049 CET	1.1.1.1	192.168.2.4	0x7eaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:41:03.324053049 CET	1.1.1.1	192.168.2.4	0x7eaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:41:03.324053049 CET	1.1.1.1	192.168.2.4	0x7eaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:41:03.324053049 CET	1.1.1.1	192.168.2.4	0x7eaf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 06:41:03.326900005 CET	1.1.1.1	192.168.2.4	0x19ff	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 06:41:03.328535080 CET	1.1.1.1	192.168.2.4	0x43e4	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 06:41:03.465082884 CET	1.1.1.1	192.168.2.4	0x14b7	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.548849106 CET	1.1.1.1	192.168.2.4	0x2139	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:03.548849106 CET	1.1.1.1	192.168.2.4	0x2139	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.548849106 CET	1.1.1.1	192.168.2.4	0x2139	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.548849106 CET	1.1.1.1	192.168.2.4	0x2139	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.548849106 CET	1.1.1.1	192.168.2.4	0x2139	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.604463100 CET	1.1.1.1	192.168.2.4	0xf89a	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.687381983 CET	1.1.1.1	192.168.2.4	0xf6e2	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.687381983 CET	1.1.1.1	192.168.2.4	0xf6e2	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.687381983 CET	1.1.1.1	192.168.2.4	0xf6e2	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:03.687381983 CET	1.1.1.1	192.168.2.4	0xf6e2	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.891104937 CET	1.1.1.1	192.168.2.4	0x4aa9	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.891104937 CET	1.1.1.1	192.168.2.4	0x4aa9	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.891104937 CET	1.1.1.1	192.168.2.4	0x4aa9	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.891104937 CET	1.1.1.1	192.168.2.4	0x4aa9	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.899842024 CET	1.1.1.1	192.168.2.4	0xd7e4	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:09.899842024 CET	1.1.1.1	192.168.2.4	0xd7e4	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:09.990685940 CET	1.1.1.1	192.168.2.4	0xb0d1	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:10.030436993 CET	1.1.1.1	192.168.2.4	0xca13	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:10.030436993 CET	1.1.1.1	192.168.2.4	0xca13	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:10.030436993 CET	1.1.1.1	192.168.2.4	0xca13	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:10.030436993 CET	1.1.1.1	192.168.2.4	0xca13	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:10.132184982 CET	1.1.1.1	192.168.2.4	0x2064	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:10.170118093 CET	1.1.1.1	192.168.2.4	0xbf30	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:41:10.170118093 CET	1.1.1.1	192.168.2.4	0xbf30	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:41:10.170118093 CET	1.1.1.1	192.168.2.4	0xbf30	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:41:10.170118093 CET	1.1.1.1	192.168.2.4	0xbf30	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 06:41:12.997273922 CET	1.1.1.1	192.168.2.4	0xb8a7	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:12.997273922 CET	1.1.1.1	192.168.2.4	0xb8a7	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:15.085427046 CET	1.1.1.1	192.168.2.4	0x7316	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:35.376683950 CET	1.1.1.1	192.168.2.4	0x278d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:41:35.376683950 CET	1.1.1.1	192.168.2.4	0x278d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:35.518897057 CET	1.1.1.1	192.168.2.4	0xae81	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 06:41:36.823697090 CET	1.1.1.1	192.168.2.4	0xe052	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:41:39.936849117 CET	1.1.1.1	192.168.2.4	0x49ce	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:43:39.666868925 CET	1.1.1.1	192.168.2.4	0x5f2f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:43:39.813407898 CET	1.1.1.1	192.168.2.4	0x84e5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 06:43:41.182225943 CET	1.1.1.1	192.168.2.4	0x10fc	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 06:43:41.182225943 CET	1.1.1.1	192.168.2.4	0x10fc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:40:43.999053955 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:40:45.085932970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 70279 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:40:45.624078989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:40:46.789401054 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 54186 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49748	34.107.221.82	80	984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:40:45.879781961 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:40:46.967037916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66184 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:40:48.800260067 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:40:49.115573883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66186 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:40:54.564199924 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:40:54.879300117 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66192 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:40:58.602829933 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:40:58.918880939 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66196 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:00.668759108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:00.984339952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66198 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:04.929367065 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:05.274350882 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66203 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:10.986563921 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:11.400011063 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66209 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:12.398008108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:12.814883947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66210 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:16.187741995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:16.502855062 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66214 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:26.510443926 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:41:34.985250950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:35.300784111 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66233 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:38.058929920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:38.374603033 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66236 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:41.169352055 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:41:41.484693050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66239 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:41:51.495611906 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:01.624083042 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:11.751367092 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:19.424077034 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:42:19.739269972 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66277 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 06:42:29.749828100 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:39.879767895 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:50.003374100 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:43:00.133147955 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:43:10.262263060 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:43:20.390747070 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	34.107.221.82	80	984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:40:48.918387890 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:40:50.012006998 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 54189 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49754	34.107.221.82	80	984	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:40:50.115561008 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:40:51.201539993 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70343 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:40:55.535068989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:40:55.850663900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70347 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:40:59.236500025 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:40:59.551768064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70351 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:00.992053986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:01.307128906 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70353 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:05.277132988 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:05.592806101 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70357 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:11.403191090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:11.718560934 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70363 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:12.819550037 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:13.148221016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70364 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:16.507170916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:17.000623941 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70368 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:27.011852026 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:41:35.304718018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:35.619810104 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70387 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:38.377486944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:38.693069935 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70390 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:41.488723040 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:41:41.809047937 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70393 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:41:51.812177896 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:01.940563917 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:12.068053007 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:19.743110895 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:42:20.058336020 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70431 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 06:42:30.072771072 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:40.202689886 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:42:50.342086077 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:43:00.471911907 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:43:10.600939035 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 06:43:20.729406118 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.4	50055	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:43:41.303767920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 06:43:42.392540932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 66360 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.4	50056	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 06:43:42.515911102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 06:43:43.602731943 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 70515 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	00:40:34
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xab0000
File size:	972'288 bytes
MD5 hash:	E065205FC134566FDA736CCC9BE37E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:40:35
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x210000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:40:35
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x210000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x210000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x210000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x210000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:40:37
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:40:38
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:40:38
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:40:38
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	00:40:38
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9581fea2-e02b-4ecb-8d33-59ff9b00bbb1} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297ce76d910 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	00:40:41
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3820 -parentBuildID 20230927232528 -prefsHandle 2720 -prefMapHandle 2688 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76cf4d42-ad86-44da-b0ab-ff06d0696284} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e0806710 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	00:40:49
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 2532 -prefMapHandle 1540 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3996ec-619f-4f1d-93b6-3ac2be77d329} 984 "\\.\pipe\gecko-crash-server-pipe.984" 297e87c6f10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1731
Total number of Limit Nodes:	54

Executed Functions

Function 00AB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00AB430D

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

GetCurrentProcess.KERNEL32(?,00B4CB64,00000000,?,?), ref: 00AB4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00AB4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00AB4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AB4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00AB4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AB447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00AB44A0

Strings

GetNativeSystemInfo, xrefs: 00AB4460
|O, xrefs: 00AF36F8
kernel32.dll, xrefs: 00AB444F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 268584ceac97166fa12bf21d3ef14bc531160fd55adb35bf20aa5839e54a3d3c
Instruction ID: 30b8b920fa0de49739647a6f966e572dd46e58fd9413636157c26b17e432d6be
Opcode Fuzzy Hash: 268584ceac97166fa12bf21d3ef14bc531160fd55adb35bf20aa5839e54a3d3c
Instruction Fuzzy Hash: 74A1837690B2C4FFCB12D7AD7C411E57FEC7B2A740B084C99E18197A33DA60460ADB69

Function 00AB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AB50AA,?,?,00000000,00000000), ref: 00AB42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AB50AA,?,?,00000000,00000000), ref: 00AB42C9
LoadResource.KERNEL32(?,00000000,?,?,00AB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AB4F20), ref: 00AF35BE
SizeofResource.KERNEL32(?,00000000,?,?,00AB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AB4F20), ref: 00AF35D3
LockResource.KERNEL32(00AB50AA,?,?,00AB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AB4F20,?), ref: 00AF35E6

Strings

SCRIPT, xrefs: 00AB42BF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 78267e99e4301e23a61125688530ac750d384f1c3f80e818ac52ec33ec7e487a
Instruction ID: 941e787c153b799be1b97b42f6f1e26023ba7e7b64e10f951824b7f273c6ff50
Opcode Fuzzy Hash: 78267e99e4301e23a61125688530ac750d384f1c3f80e818ac52ec33ec7e487a
Instruction Fuzzy Hash: 57117C75201B00BFEB218FA5DC49FA77BBDEBCAB51F204169F40296261DBB1D9109A20

Function 00AF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00AB2B6B

Part of subcall function 00AB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B81418,?,00AB2E7F,?,?,?,00000000), ref: 00AB3A78

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00B72224), ref: 00AF2C10
ShellExecuteW.SHELL32(00000000,?,?,00B72224), ref: 00AF2C17

Strings

runas, xrefs: 00AF2C0B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 9e5dc50448399e1ba50f4b235c3aafdc9e96d04a8237597536bb34838c5c36dc
Instruction ID: 8f084c8e557d77dcdde2daf8649cc8c4a66056a22f167a1ae51af8a97f3a4373
Opcode Fuzzy Hash: 9e5dc50448399e1ba50f4b235c3aafdc9e96d04a8237597536bb34838c5c36dc
Instruction Fuzzy Hash: 4411B4322093056ACB14FFA4DA51AFE7BECAB91740F44186DF146571B3CF218A4AD712

Function 00B1D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B1D501
Process32FirstW.KERNEL32(00000000,?), ref: 00B1D50F
Process32NextW.KERNEL32(00000000,?), ref: 00B1D52F
CloseHandle.KERNEL32(00000000), ref: 00B1D5DC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9386b71f505e1e7de193f35e40cce986c22275de09398c8255ce0a7cbbce2e64
Instruction ID: 86924fc8e6f424492b644977e5d7d176ebf7c12efe695bc76af5c43383c3e074
Opcode Fuzzy Hash: 9386b71f505e1e7de193f35e40cce986c22275de09398c8255ce0a7cbbce2e64
Instruction Fuzzy Hash: 9C318F711083009FD300EF54C885AEFBBE8EF9A354F54092DF585971A2EB719A85CB92

Function 00B1DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00AF5222), ref: 00B1DBCE
GetFileAttributesW.KERNEL32(?), ref: 00B1DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00B1DBEE
FindClose.KERNEL32(00000000), ref: 00B1DBFA

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 43db401e1372e31193c823b87c49acc951ba2ded165030d33a0af9ebee86fc62
Instruction ID: 1f5fe16e08b2a579e2dfada08d9fa05e037384af31e8636158ada63d68ce8f30
Opcode Fuzzy Hash: 43db401e1372e31193c823b87c49acc951ba2ded165030d33a0af9ebee86fc62
Instruction Fuzzy Hash: 97F0A0388119105782606F78AC0D8EA3BACEE02334B904F42F936C20E0EFF05A94C6D5

Function 00B0D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B0D220

Strings

%.3d, xrefs: 00B0D22B
X64, xrefs: 00B0D2A8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8059e6fca1acd5ad9e9195a9b1f157c1c6d71fc08c1bd5a78200385ec714066d
Instruction ID: 437e89e43f69446bb07cc33f92375d7ff2f65736fc4c72c5a1ed1d7975f56410
Opcode Fuzzy Hash: 8059e6fca1acd5ad9e9195a9b1f157c1c6d71fc08c1bd5a78200385ec714066d
Instruction Fuzzy Hash: C9D01271809118EACB9097D4CC85DB9BBFCFB08301F5184E6F80A920C0DB24CA086B61

Function 00AD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00AE28E9,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002,00000000,?,00AE28E9), ref: 00AD4D09
TerminateProcess.KERNEL32(00000000,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002,00000000,?,00AE28E9), ref: 00AD4D10
ExitProcess.KERNEL32 ref: 00AD4D22

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 40ccfd5c8423a9a88e1b586008d5fa65a4db437e8ae4d9749eeb69347087528f
Instruction ID: 81ae648ad613eda1f5261eba116437cf0044cdeff90b5e03af5ba32ac3543788
Opcode Fuzzy Hash: 40ccfd5c8423a9a88e1b586008d5fa65a4db437e8ae4d9749eeb69347087528f
Instruction Fuzzy Hash: 5CE0B635001188AFCF61AF64DE09A593F6AFB46B81B144015FC569B222CB35DE42CA84

Function 00B0D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B0D28C

Strings

X64, xrefs: 00B0D2A8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 504844cbc403c042f04e9303de3c39dd394d74dc550700bc1facafe02461f37e
Instruction ID: 9dea95569506dc248549d49192f0edac32a6cdf7107010586301e0efab1c711e
Opcode Fuzzy Hash: 504844cbc403c042f04e9303de3c39dd394d74dc550700bc1facafe02461f37e
Instruction Fuzzy Hash: DCD0C9B480211DEBCB90CB94DCC8DD9B7BCBB04305F100195F106A2140DB3096488F10

Function 00B3AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00B3B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B1D4
_wcslen.LIBCMT ref: 00B3B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B236
_wcslen.LIBCMT ref: 00B3B332

Part of subcall function 00B205A7: GetStdHandle.KERNEL32(000000F6), ref: 00B205C6

_wcslen.LIBCMT ref: 00B3B34B
_wcslen.LIBCMT ref: 00B3B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B3B3B6
GetLastError.KERNEL32(00000000), ref: 00B3B407
CloseHandle.KERNEL32(?), ref: 00B3B439
CloseHandle.KERNEL32(00000000), ref: 00B3B44A
CloseHandle.KERNEL32(00000000), ref: 00B3B45C
CloseHandle.KERNEL32(00000000), ref: 00B3B46E
CloseHandle.KERNEL32(?), ref: 00B3B4E3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 904b814cede994ff7ca87a5f2aa2ab5b2e6495c490d85a0fef4826b9d254cd8a
Instruction ID: 710c50351d301172c6b6b9a91bbc6b8742a6ad4ce6bcc4cdcf19a46d9bd37808
Opcode Fuzzy Hash: 904b814cede994ff7ca87a5f2aa2ab5b2e6495c490d85a0fef4826b9d254cd8a
Instruction Fuzzy Hash: 17F17A316042009FC724EF24C991F6EBBE5EF85710F24859DF99A9B2A6CB71EC44CB52

Function 00ABD730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00ABD807
timeGetTime.WINMM ref: 00ABDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABDB28
TranslateMessage.USER32(?), ref: 00ABDB7B
DispatchMessageW.USER32(?), ref: 00ABDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABDB9F
Sleep.KERNEL32(0000000A), ref: 00ABDBB1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: bec31506c266ef815390cc2852913abc8a03a051f8eac60a254c31b03f083299
Instruction ID: c604af65577b7913aa6eb5b8a5c50700f4c2b5eff72fb2f1d6c358e22f30df9c
Opcode Fuzzy Hash: bec31506c266ef815390cc2852913abc8a03a051f8eac60a254c31b03f083299
Instruction Fuzzy Hash: D742D570604341EFD729CF24C899BAABBF9FF45304F14495DE456872A2EB71E848CB92

Function 00AB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AB2D07
RegisterClassExW.USER32(00000030), ref: 00AB2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB2D42
InitCommonControlsEx.COMCTL32(?), ref: 00AB2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB2D6F
LoadIconW.USER32(000000A9), ref: 00AB2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB2D94

Strings

0, xrefs: 00AB2CE9
AutoIt v3 GUI, xrefs: 00AB2D23
TaskbarCreated, xrefs: 00AB2D37
+, xrefs: 00AB2CF0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a178579d14e3af6201386424eff42e49c4f48c768659e167c261f4f32d8ddd7f
Instruction ID: c335766e2587896cf88d4acafcf4dfc3ea088b3ac86afc4349aedaeea1f7088f
Opcode Fuzzy Hash: a178579d14e3af6201386424eff42e49c4f48c768659e167c261f4f32d8ddd7f
Instruction Fuzzy Hash: 7221B2B5912218AFDB40DFA8EC49BDDBFB8FB09B00F00451AE511A72A0DBB14645CF95

Function 00AF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AF039A: CreateFileW.KERNEL32(00000000,00000000,?,00AF0704,?,?,00000000,?,00AF0704,00000000,0000000C), ref: 00AF03B7

GetLastError.KERNEL32 ref: 00AF076F
__dosmaperr.LIBCMT ref: 00AF0776
GetFileType.KERNEL32(00000000), ref: 00AF0782
GetLastError.KERNEL32 ref: 00AF078C
__dosmaperr.LIBCMT ref: 00AF0795
CloseHandle.KERNEL32(00000000), ref: 00AF07B5
CloseHandle.KERNEL32(?), ref: 00AF08FF
GetLastError.KERNEL32 ref: 00AF0931
__dosmaperr.LIBCMT ref: 00AF0938

Strings

H, xrefs: 00AF08BD

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1782616288ecd6b560729be7187aa1e1c0fed6f2b4036d74af3e975433d7ff12
Instruction ID: 445e93f932dda3c5729808a8cc8a1ba553a28363c77103828e0822ce22abbdd6
Opcode Fuzzy Hash: 1782616288ecd6b560729be7187aa1e1c0fed6f2b4036d74af3e975433d7ff12
Instruction Fuzzy Hash: 51A12736A101088FDF19AFA8D851BBE7BA0AF06320F144159F916DF3A2DB359D12CB91

Function 00AB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B81418,?,00AB2E7F,?,?,?,00000000), ref: 00AB3A78

Part of subcall function 00AB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AB3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AB356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AF318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AF31CE
RegCloseKey.ADVAPI32(?), ref: 00AF3210
_wcslen.LIBCMT ref: 00AF3277
_wcslen.LIBCMT ref: 00AF3286

Strings

\, xrefs: 00AF328C
Include, xrefs: 00AF3184, 00AF31C5
Software\AutoIt v3\AutoIt, xrefs: 00AB3560
\Include\, xrefs: 00AB3527

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 8275f2dbbc8eae4c3837a715c4e0c754c4f5ecac32f5651a5884997ff352c03c
Instruction ID: 1bacc9b9cf3357b88c8e26361eb4cbc00392f17905dd5b1524b94127dae455bc
Opcode Fuzzy Hash: 8275f2dbbc8eae4c3837a715c4e0c754c4f5ecac32f5651a5884997ff352c03c
Instruction Fuzzy Hash: 4071B0724053049EC714EF69ED929ABBBE8FF99740F40092EF54583271EF349A48CB56

Function 00AB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AB2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00AB2B9D
LoadIconW.USER32(00000063), ref: 00AB2BB3
LoadIconW.USER32(000000A4), ref: 00AB2BC5
LoadIconW.USER32(000000A2), ref: 00AB2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AB2BEF
RegisterClassExW.USER32(?), ref: 00AB2C40

Part of subcall function 00AB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00AB2D07
Part of subcall function 00AB2CD4: RegisterClassExW.USER32(00000030), ref: 00AB2D31
Part of subcall function 00AB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB2D42
Part of subcall function 00AB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00AB2D5F
Part of subcall function 00AB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB2D6F
Part of subcall function 00AB2CD4: LoadIconW.USER32(000000A9), ref: 00AB2D85
Part of subcall function 00AB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB2D94

Strings

#, xrefs: 00AB2C16
0, xrefs: 00AB2C0F
AutoIt v3, xrefs: 00AB2C2F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 03509d16b3615fd8465caf10f5990e6b1e2eb75aade16404c6cfb281ac4a7a33
Instruction ID: 9eee59bfc91cc671d8ddb0131c9c36ed0f3284e80839894a8fcbd7e435a12689
Opcode Fuzzy Hash: 03509d16b3615fd8465caf10f5990e6b1e2eb75aade16404c6cfb281ac4a7a33
Instruction Fuzzy Hash: C9211875E02318BBDB10DFA9EC55AA97FB8FB48B50F00041AE500A76B0DBB14A51CF98

Function 00AB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00AB316A,?,?), ref: 00AB31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00AB316A,?,?), ref: 00AB3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AB3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00AB316A,?,?), ref: 00AB3232
CreatePopupMenu.USER32 ref: 00AB3246
PostQuitMessage.USER32(00000000), ref: 00AB3267

Strings

TaskbarCreated, xrefs: 00AB322D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 1dc1ab5cefd3532acfbb6c1dc6d171cd0c11f69e6cbc586c6edab708b50c0603
Instruction ID: 71e116172ca3ab241165926d6cd481993272f7b458a9ee651a90fc0a95bd3dbe
Opcode Fuzzy Hash: 1dc1ab5cefd3532acfbb6c1dc6d171cd0c11f69e6cbc586c6edab708b50c0603
Instruction Fuzzy Hash: CB41D437241208A7DF146BACDD1ABF93A6DEB15340F040655F601862B3CF718E42E765

Function 00AB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AB1459
CoUninitialize.COMBASE ref: 00AB14F8
UnregisterHotKey.USER32(?), ref: 00AB16DD
DestroyWindow.USER32(?), ref: 00AF24B9
FreeLibrary.KERNEL32(?), ref: 00AF251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF254B

Strings

close all, xrefs: 00AB1454

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8f6e0228efabdc5f2be1d74d6874a1f189436773b7191d6cd6816f8df3ec60a9
Instruction ID: d41d8276149ec9b90bef41e1cc98b0b6409555d86ee7166ab84ee2e3f318faf3
Opcode Fuzzy Hash: 8f6e0228efabdc5f2be1d74d6874a1f189436773b7191d6cd6816f8df3ec60a9
Instruction Fuzzy Hash: 45D18D31702222CFCB29EF54C5A9B69F7A8BF05700F5542ADE54AAB252CB30AD12CF50

Function 00B1DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00B1DE42
gethostname.WS2_32(?,00000100), ref: 00B1DE5C
gethostbyname.WS2_32(?), ref: 00B1DE69
inet_ntoa.WSOCK32(?), ref: 00B1DEAB
_strcat.LIBCMT ref: 00B1DEB9
WSACleanup.WSOCK32 ref: 00B1DEDE

Strings

0.0.0.0, xrefs: 00B1DE87

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: cc0a23a3a4325b5511433ddb4bfaada2fcc8a8005006aa04efd9ea27d4aecbe4
Instruction ID: 5fb80a0fc91f2d429b3712891a65557431d6b32a0702e60131f55098e7781f9e
Opcode Fuzzy Hash: cc0a23a3a4325b5511433ddb4bfaada2fcc8a8005006aa04efd9ea27d4aecbe4
Instruction Fuzzy Hash: F0110632904104AFCF60AB709C4AEEE7BECEF15711F4001AAF40697191EF748AC18A50

Function 00AB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AB2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AB2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00AB1CAD,?), ref: 00AB2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00AB1CAD,?), ref: 00AB2CCF

Strings

edit, xrefs: 00AB2CAC
AutoIt v3, xrefs: 00AB2C89, 00AB2C8E, 00AB2C8F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 54957b523708663c4f85e368ef9ece89839c2278b987d7f64118f4b9230a536b
Instruction ID: 606a9cf46ace14d44af5da78bac1fb655fac20bf4e7db6d2ab844fabd0db7b5f
Opcode Fuzzy Hash: 54957b523708663c4f85e368ef9ece89839c2278b987d7f64118f4b9230a536b
Instruction Fuzzy Hash: CAF0DA755423907AEB711B1BAC08EB72EBDE7C7F50B00045AF904A35B0CA755852DBB9

Function 00B0D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00B0D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B0D3BF
FreeLibrary.KERNEL32(00000000), ref: 00B0D3E5

Strings

X64, xrefs: 00B0D2A8
GetSystemWow64DirectoryW, xrefs: 00B0D3B9

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 4d8656b3e837d6738b5963830a42682656405fb9b9e74148bea3efd6b29017dd
Instruction ID: 02b3e515923c6e234839a3eda4fc986fb964ee219e350d0c073b590f8870ca14
Opcode Fuzzy Hash: 4d8656b3e837d6738b5963830a42682656405fb9b9e74148bea3efd6b29017dd
Instruction Fuzzy Hash: 76F0A07A406A21ABD7B11794CC98B69BEA4AF11B41B9581D9F406F21D4DF20CE408B9A

Function 00AB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00AB3B0F,SwapMouseButtons,00000004,?), ref: 00AB3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00AB3B0F,SwapMouseButtons,00000004,?), ref: 00AB3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00AB3B0F,SwapMouseButtons,00000004,?), ref: 00AB3B83

Strings

Control Panel\Mouse, xrefs: 00AB3B3E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6d6f9b3b949436831775a1461239e514f9683e53a85d23bc6332ea4a84dbb62a
Instruction ID: 6c760a485b9d36defbacbcc8e1c7abaf94e9e230b7af58c5f23e26880fbee623
Opcode Fuzzy Hash: 6d6f9b3b949436831775a1461239e514f9683e53a85d23bc6332ea4a84dbb62a
Instruction Fuzzy Hash: 5A112AB6511208FFDF218FA5DC44AEEBBBCEF05744B104559A806D7215D6719F409760

Function 00ABDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B032B7

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: d6c83c36aaa1370117004d39df87788309bf3bfe0aa583fba3100e39b306435c
Instruction ID: 54de216988f872267d9993daf89a4e8de664a66e5ed0f038c4fd656954b8ce45
Opcode Fuzzy Hash: d6c83c36aaa1370117004d39df87788309bf3bfe0aa583fba3100e39b306435c
Instruction Fuzzy Hash: 74C26675A00214CFCB24CF98C885AEDB7F9FB18700F248569E916AB3A2D775AD41CB91

Function 00ABEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00ABFE66

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 44751427ffa618aa3ef61cd5239946caba283aa1c162af0be2e4348b50955164
Instruction ID: 6f08cf43e96552c419ca90437844ae5b6c6d11b8cd8b8fbcc7a15b55889886b3
Opcode Fuzzy Hash: 44751427ffa618aa3ef61cd5239946caba283aa1c162af0be2e4348b50955164
Instruction Fuzzy Hash: 70B28E74604340CFCB24CF18C890AAABBF5BF95314F28496DE9968B362D771ED45CB92

Function 00AB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AF33A2

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AB3A04

Strings

Line: , xrefs: 00AF33EB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: a24aac551ae015780baaf0fb421e0e0c00a478de2b40abac757ed155cf187886
Instruction ID: cc41f990545f023fff72e3498f714661c6e8fbce0a9ee0d50ec9e223c9256c04
Opcode Fuzzy Hash: a24aac551ae015780baaf0fb421e0e0c00a478de2b40abac757ed155cf187886
Instruction Fuzzy Hash: 0931E872409304ABDB25EB24DC45BEBB7ECAF40710F104A1EF59A871A2DF709A49C7C6

Function 00ACFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00AD0668

Part of subcall function 00AD32A4: RaiseException.KERNEL32(?,?,?,00AD068A,?,00B81444,?,?,?,?,?,?,00AD068A,00AB1129,00B78738,00AB1129), ref: 00AD3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00AD0685

Strings

Unknown exception, xrefs: 00AD0692

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: df11dc8a959909ea413779a1e4add2fa383deda6af7c5fead9bdc9294348b0bd
Instruction ID: 969b786e9124faee56b1e9cbfb88ebe5fda6b3785513dfa781965fb2c5c7fb0b
Opcode Fuzzy Hash: df11dc8a959909ea413779a1e4add2fa383deda6af7c5fead9bdc9294348b0bd
Instruction Fuzzy Hash: 48F0C23490020D7BCF00BB64E94AE9E77BD5E00354F608176B82AD66A5EF71DB25C581

Function 00AB10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB1BF4
Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB1BFC
Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB1C07
Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB1C12
Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB1C1A
Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB1C22

Part of subcall function 00AB1B4A: RegisterWindowMessageW.USER32(00000004,?,00AB12C4), ref: 00AB1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AB136A
OleInitialize.OLE32 ref: 00AB1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00AF24AB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6d258b6d127f530dba10e82f266bfea8071fd0df4cf21d2aa45f9b4ffa0764fe
Instruction ID: 3e0895d71f4b079590da3819f891d3f9ea2cf03deac7d6e244ba6b202b7f4f5b
Opcode Fuzzy Hash: 6d258b6d127f530dba10e82f266bfea8071fd0df4cf21d2aa45f9b4ffa0764fe
Instruction Fuzzy Hash: 517199B59132008EC384EF7DE956A953AECBBA87447588A6AD40AD7372EF308503CF55

Function 00B1C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AB3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B1C259
KillTimer.USER32(?,00000001,?,?), ref: 00B1C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B1C270

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 9776f6b7ec6393ea2419aaabbea7c25caabf6e9400a81a37ce0a4713ecfdcbe4
Instruction ID: bf21412ad990b31b6051781703a2081f20cd92f6ea10b7c9c6179e10e6e49301
Opcode Fuzzy Hash: 9776f6b7ec6393ea2419aaabbea7c25caabf6e9400a81a37ce0a4713ecfdcbe4
Instruction Fuzzy Hash: 9531BF70944344AFEB628F648895BEABFECAB17708F0004DAD69AA7241C7745AC5CB91

Function 00AE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00AE85CC,?,00B78CC8,0000000C), ref: 00AE8704
GetLastError.KERNEL32(?,00AE85CC,?,00B78CC8,0000000C), ref: 00AE870E
__dosmaperr.LIBCMT ref: 00AE8739

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3c24398a941d73121efd9bd1d99dd12e7ecfb70f92334443c684335315ffae1f
Instruction ID: 5959a02716125386a03a26eab08b76c52700a985a21ee86e97f98f6ec99ab80c
Opcode Fuzzy Hash: 3c24398a941d73121efd9bd1d99dd12e7ecfb70f92334443c684335315ffae1f
Instruction Fuzzy Hash: CA018E32A052E016C2607336BA4577E7B594B83B78F390119F81C8F1D2DEB8CC81C250

Function 00ABDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00ABDB7B
DispatchMessageW.USER32(?), ref: 00ABDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABDB9F
Sleep.KERNEL32(0000000A), ref: 00ABDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00B01CC9

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: c33338397eb26229f2f64f00dd81511fad9964eb22727c9b63bf39140c8189ea
Instruction ID: 50bafa809b6447c90c4ae8a9512c00a624b2e656473b5e053e385bee02e150f1
Opcode Fuzzy Hash: c33338397eb26229f2f64f00dd81511fad9964eb22727c9b63bf39140c8189ea
Instruction Fuzzy Hash: 33F05E306463409BEB74CBA48C49FEA7BECEB45710F104A58E61A970D0EB309948CB25

Function 00AC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00AC17F6

Strings

CALL, xrefs: 00AC17C6

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 0a8a38d3a3dcebd28986011cd4e6cba9a9381f4befd3075187e81a2c9560b292
Instruction ID: e973768b3f7353bee51c43b8497cf4d6d9f38a3794ca4198acd62aab9972c63c
Opcode Fuzzy Hash: 0a8a38d3a3dcebd28986011cd4e6cba9a9381f4befd3075187e81a2c9560b292
Instruction Fuzzy Hash: EB2269706082019FC714DF24C990F2ABBF1BF96314F25896DF49A8B3A2D731E955CB92

Function 00AC01E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb409a88f9350fe34187ad37964918336de5c23e0ed640b4c56d22f1cbe81cc
Instruction ID: 7a940a1390600fc9a70b2173094bcf85031b188873aa0943c1557067f7bf5bb1
Opcode Fuzzy Hash: 4bb409a88f9350fe34187ad37964918336de5c23e0ed640b4c56d22f1cbe81cc
Instruction Fuzzy Hash: C232AC70A00605DFCB24DF64C885FEEBBB5EF15310F1685A9E916AB2A2D731ED40CB91

Function 00AB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00AF2C8C

Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2

Part of subcall function 00AB2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AB2DC4

Strings

X, xrefs: 00AF2C5A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e0e6b21705ed138d5e7a76c5536ffd901433db3f5e8d0ab2214a8cb136bbe526
Instruction ID: d2d12958b96c06ca088b1cf96b2f858ebfe6f28abe9a35a3db7dc92395f348bb
Opcode Fuzzy Hash: e0e6b21705ed138d5e7a76c5536ffd901433db3f5e8d0ab2214a8cb136bbe526
Instruction Fuzzy Hash: 6A219371A1029C9FDF01DF94C945BEE7BFCAF49704F00805AE519A7242DBB49A898F61

Function 00B0D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 00B0D375

Strings

X64, xrefs: 00B0D2A8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 59f12edf99b01ba6a0722b6126e303b304e6cb2f0978e5ad5f53614c661a361f
Instruction ID: 7667b64cb0a5da24e22c92dd7853b2d086fe47252a922cedce7fb7951647dbf7
Opcode Fuzzy Hash: 59f12edf99b01ba6a0722b6126e303b304e6cb2f0978e5ad5f53614c661a361f
Instruction Fuzzy Hash: 34D0C9B580511CEBCB90CB84DCC8ED9BBBCBB04301F504195F002A2080DB3096489B10

Function 00AB3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AB3908

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7bc3e060fdbc874a0e481e9a8ce59086b32de77819cc1ffcca5c298d7b08cee0
Instruction ID: d32f3551a52910778d022b8882de9566066e49720775eafecbe5ab1491cab554
Opcode Fuzzy Hash: 7bc3e060fdbc874a0e481e9a8ce59086b32de77819cc1ffcca5c298d7b08cee0
Instruction Fuzzy Hash: EF318F715057019FDB21DF68D8847E7BBE8FB49708F00092EF69A87251EB71AA44CB52

Function 00ACF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00ACF661

Part of subcall function 00ABD730: GetInputState.USER32 ref: 00ABD807

Sleep.KERNEL32(00000000), ref: 00B0F2DE

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 767fdd962e8c2b7db0b529d85f92ab8d194f8c10c8eb40373f986e9b817362f2
Instruction ID: 6b5bab78637b75cd053a7fc24378893cfe5f2def3135184eea2f2ec5a3440c88
Opcode Fuzzy Hash: 767fdd962e8c2b7db0b529d85f92ab8d194f8c10c8eb40373f986e9b817362f2
Instruction Fuzzy Hash: 91F082352402059FD350EF65D545BAABBE8FF45760F000129E85AC7261DF70A800CB91

Function 00ABB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00ABBB4E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: cb30bf947e3fc4c882c64462f1b3523149fa6d3445073a994755d51b572b863a
Instruction ID: 2ebdc303c4750b208dbbbf59c404c441ce965cc2ecc1d4f761a7bb82b3260ac1
Opcode Fuzzy Hash: cb30bf947e3fc4c882c64462f1b3523149fa6d3445073a994755d51b572b863a
Instruction Fuzzy Hash: 76329E35A10209DFDB24DF54C994BFEBBF9EF44350F148099E905AB2A2C7B4AD41CBA1

Function 00AB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E9C
Part of subcall function 00AB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AB4EAE
Part of subcall function 00AB4E90: FreeLibrary.KERNEL32(00000000,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4EFD

Part of subcall function 00AB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E62
Part of subcall function 00AB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AB4E74
Part of subcall function 00AB4E59: FreeLibrary.KERNEL32(00000000,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E87

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: a74b556cc91948ff8a8e2b689caff22ba679cd83d4eb0a1abc5950c074d30eca
Instruction ID: ac533453b308c8c176ff0d558422c5b4342dfe5335b87a53f4b09563ec1ed635
Opcode Fuzzy Hash: a74b556cc91948ff8a8e2b689caff22ba679cd83d4eb0a1abc5950c074d30eca
Instruction Fuzzy Hash: 54119432610205AADF14FB74DD02BED77A9AF44B10F104429F542AB1D3DE70DA459B50

Function 00AE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00AE8440

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d7230ca5f19274cafb776ab7ea4c064896d1ef683f44f470f876111a85612cbb
Instruction ID: 45f727ca1b8899753300c4b449fe1fe0952e8f5d8f3489e505f756ba3806688c
Opcode Fuzzy Hash: d7230ca5f19274cafb776ab7ea4c064896d1ef683f44f470f876111a85612cbb
Instruction Fuzzy Hash: F611187590410AAFCB05DF59E94199A7BF5EF48314F104059F808AB352DA31DA11CBA5

Function 00AE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AE4C7D: RtlAllocateHeap.NTDLL(00000008,00AB1129,00000000,?,00AE2E29,00000001,00000364,?,?,?,00ADF2DE,00AE3863,00B81444,?,00ACFDF5,?), ref: 00AE4CBE

_free.LIBCMT ref: 00AE506C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3d34528a7ee4316922fa1342fc6df5b7107c4987012451840ade6d42733b9886
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 9C0149726047446FE3318F6AE885A5AFBECFB89370F25052DF184832C0EA70A905C7B4

Function 00ADE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: a1a631cea72e0dde5e261a3255bd646860ed68e43a301ce94c6f9bdd53593630
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 13F02832511A149AD7317B7A8E05B9B339C9F52334F10071BF4279B3D2DB74E80286A5

Function 00AE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00AB1129,00000000,?,00AE2E29,00000001,00000364,?,?,?,00ADF2DE,00AE3863,00B81444,?,00ACFDF5,?), ref: 00AE4CBE

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 842f8e665158d7d84370121a10f445e455150a4f6eed7dfe8eaa9ddf9ac4bfe0
Instruction ID: cc784e4c33a79362d9d51da698157abeb2ba93d519395b3cec15ef59ddfcebec
Opcode Fuzzy Hash: 842f8e665158d7d84370121a10f445e455150a4f6eed7dfe8eaa9ddf9ac4bfe0
Instruction Fuzzy Hash: E4F0E2316073A477DB215F639D09B9B379CBFC9BA0B344522B81AAB690CE30D80186E0

Function 00AE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f1903ec99ebc764e9a0aedc32fb11271e6d0eaf0b05abfc6708c1d5a626bf8ce
Instruction ID: a3561fe34de22dff11f18d85d68889dc1fe02092f966c511e5cecf596d1a8703
Opcode Fuzzy Hash: f1903ec99ebc764e9a0aedc32fb11271e6d0eaf0b05abfc6708c1d5a626bf8ce
Instruction Fuzzy Hash: 28E065331022A477DE313B779D09B9B3759AB82BB0F150122BD5697591DF21DE0182E1

Function 00AB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4F6D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3c964d60b3bfad4927a31aa12c17161fbfaac172b18d69c08d1d19c99ab2654c
Instruction ID: 7a20600935978f033899f08e7845c9cddef83394304c0008c04194a1e9ee6104
Opcode Fuzzy Hash: 3c964d60b3bfad4927a31aa12c17161fbfaac172b18d69c08d1d19c99ab2654c
Instruction Fuzzy Hash: E4F01571505752CFDB349F74D5908A2BBF8AF18B29320896EE1EA83623CB319844DF10

Function 00B42A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B42A66

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 803a3475f2f4e568029abcd5cb909d99cb8e69840e6e1669c895cb5a4b2a70c9
Instruction ID: f2ea98f82b99217f629a30b94c5dbd5534880980fa9726418186a8e376c656f3
Opcode Fuzzy Hash: 803a3475f2f4e568029abcd5cb909d99cb8e69840e6e1669c895cb5a4b2a70c9
Instruction Fuzzy Hash: 69E04F36350126AAC754EB30EC848FA77DCEB5139575045B6BC1AD3100EB309B96A6A0

Function 00AB30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00AB314E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4f88dbd96ef2f6864f308d57dc1f1eec11fab6b7d98a606be322466cc3ced5b8
Instruction ID: 48a8c6c7b75b7c11e1ca3ade04d7c8a8604d35e6d2daf4a2b1b6ac97446b2a00
Opcode Fuzzy Hash: 4f88dbd96ef2f6864f308d57dc1f1eec11fab6b7d98a606be322466cc3ced5b8
Instruction Fuzzy Hash: BBF0A770901304AFEB529B28DC467D57BBCA701708F0000E5A14897292DB704789CF45

Function 00AB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AB2DC4

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9e7c5e8362a24433dcc4364410fa7bfbab0b197ed02eef1262a74d27903b8dba
Instruction ID: c7daa0199082484c5377645472f9ab69254a54ca24156586e5e17f0783bee4a9
Opcode Fuzzy Hash: 9e7c5e8362a24433dcc4364410fa7bfbab0b197ed02eef1262a74d27903b8dba
Instruction Fuzzy Hash: 43E0CD766011245BC71096989C05FEA77EDDFC8790F040071FD09D7248D9A4AD808650

Function 00AB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00AB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AB3908

Part of subcall function 00ABD730: GetInputState.USER32 ref: 00ABD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00AB2B6B

Part of subcall function 00AB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00AB314E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 270159986de8c85f80fdb85fe4c4e40a4a077325e499267b760d207ca42c1783
Instruction ID: b5f6cd6e695e5f8e599cfa567a523b2761b11f48e7e1290d7873c3c979e6e239
Opcode Fuzzy Hash: 270159986de8c85f80fdb85fe4c4e40a4a077325e499267b760d207ca42c1783
Instruction Fuzzy Hash: 89E0863370524406CA04BBB499525EDA75D9BD1751F44197EF14243263DE2446468752

Function 00B1DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B1DF40

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 95393c87f47487a91028d2a6df77d833bdf8a6d356007dd164dfdb8549643af1
Instruction ID: 446fe1ed6f1dd2d4482fe35d1b4cc029efaa68ae601501b9b38b47dfd5657b0e
Opcode Fuzzy Hash: 95393c87f47487a91028d2a6df77d833bdf8a6d356007dd164dfdb8549643af1
Instruction Fuzzy Hash: AFD05EA6A002282BDF60A6749D0DDF73AACDB40210F0006A0786DD3152E924DE4486B0

Function 00AF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00AF0704,?,?,00000000,?,00AF0704,00000000,0000000C), ref: 00AF03B7

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3336b2d1049a6926cc7b3f47ad10f1cb42d68b5eff2f495c7f08f4af25c0d55b
Instruction ID: 62278dee17c1b6488572371c6113de4f56d4c3d4a3edd9143d65c66ffa1071d0
Opcode Fuzzy Hash: 3336b2d1049a6926cc7b3f47ad10f1cb42d68b5eff2f495c7f08f4af25c0d55b
Instruction Fuzzy Hash: 22D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E921AB90

Function 00AB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00AB1CBC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: ccd7ea085d49c45eb282b6168e1b6ba6fefb7832d144ec45cf6faae3df9ed0e4
Instruction ID: cb58587ed4572f3ef1492786307c7c87c1b03780e64fdccf1dae23915a1a345f
Opcode Fuzzy Hash: ccd7ea085d49c45eb282b6168e1b6ba6fefb7832d144ec45cf6faae3df9ed0e4
Instruction Fuzzy Hash: D1C04C35281204AAE2144784BC4BF547754A358B00F044401F609565F38AA15410D754

Non-executed Functions

Function 00B49576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B4961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B4965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B4969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B496C9
SendMessageW.USER32 ref: 00B496F2
GetKeyState.USER32(00000011), ref: 00B4978B
GetKeyState.USER32(00000009), ref: 00B49798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B497AE
GetKeyState.USER32(00000010), ref: 00B497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B497E9
SendMessageW.USER32 ref: 00B49810
SendMessageW.USER32(?,00001030,?,00B47E95), ref: 00B49918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B4992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B49941
SetCapture.USER32(?), ref: 00B4994A
ClientToScreen.USER32(?,?), ref: 00B499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B499D6
ReleaseCapture.USER32 ref: 00B499E1
GetCursorPos.USER32(?), ref: 00B49A19
ScreenToClient.USER32(?,?), ref: 00B49A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B49A80
SendMessageW.USER32 ref: 00B49AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B49AEB
SendMessageW.USER32 ref: 00B49B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B49B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B49B4A
GetCursorPos.USER32(?), ref: 00B49B68
ScreenToClient.USER32(?,?), ref: 00B49B75
GetParent.USER32(?), ref: 00B49B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B49BFA
SendMessageW.USER32 ref: 00B49C2B
ClientToScreen.USER32(?,?), ref: 00B49C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B49CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B49CDE
SendMessageW.USER32 ref: 00B49D01
ClientToScreen.USER32(?,?), ref: 00B49D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B49D82

Part of subcall function 00AC9944: GetWindowLongW.USER32(?,000000EB), ref: 00AC9952

GetWindowLongW.USER32(?,000000F0), ref: 00B49E05

Strings

@GUI_DRAGID, xrefs: 00B4997D
F, xrefs: 00B49D07

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 8eaa10da414a7e9ad34156b2c5feccbbb6a02362152780b2b410c41502f04ebf
Instruction ID: 2716c9e9ec9edbc233cd5fc3cab7115feadc5f85cf02154eccbb3e96993d4e67
Opcode Fuzzy Hash: 8eaa10da414a7e9ad34156b2c5feccbbb6a02362152780b2b410c41502f04ebf
Instruction Fuzzy Hash: 2E429F34205201AFD720CF28CC85EABBBE9FF49710F114A99F599872A1DB31EA51EF51

Function 00B44873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B44908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B44927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B4494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B4495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B4497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B44A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B44A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B44A7E
IsMenu.USER32(?), ref: 00B44A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B44AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B44B20
GetWindowLongW.USER32(?,000000F0), ref: 00B44B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B44BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B44C82
wsprintfW.USER32 ref: 00B44CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B44CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B44CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B44D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B44D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B44D5A

Strings

%d/%02d/%02d, xrefs: 00B44CA8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 72a40c1112329b89c79c1021c74b80266d2bd00ce38267ba3ca3f65a50514cd5
Instruction ID: 36c4f169d1fd923dac272b87d63bfa0972d7107dadc3c70f190c4241ac578604
Opcode Fuzzy Hash: 72a40c1112329b89c79c1021c74b80266d2bd00ce38267ba3ca3f65a50514cd5
Instruction Fuzzy Hash: 4A12E171600214ABEB248F28CC49FAE7BF8FF45710F1041A9F91ADB2E1DB749A51DB50

Function 00ACF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00ACF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B0F474
IsIconic.USER32(00000000), ref: 00B0F47D
ShowWindow.USER32(00000000,00000009), ref: 00B0F48A
SetForegroundWindow.USER32(00000000), ref: 00B0F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B0F4AA
GetCurrentThreadId.KERNEL32 ref: 00B0F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B0F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B0F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B0F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B0F4DE
SetForegroundWindow.USER32(00000000), ref: 00B0F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F4F6
keybd_event.USER32(00000012,00000000), ref: 00B0F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F50B
keybd_event.USER32(00000012,00000000), ref: 00B0F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F519
keybd_event.USER32(00000012,00000000), ref: 00B0F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F528
keybd_event.USER32(00000012,00000000), ref: 00B0F52D
SetForegroundWindow.USER32(00000000), ref: 00B0F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B0F557

Strings

Shell_TrayWnd, xrefs: 00B0F46F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 86f2f9c48427f96e700b8825aef658e0956f407d779115f3f96400aa5b63c458
Instruction ID: 4381287393d176e1bbb00e9c29b1f9a5d590f93d83ad5fa5dc2c2f0818fe6d24
Opcode Fuzzy Hash: 86f2f9c48427f96e700b8825aef658e0956f407d779115f3f96400aa5b63c458
Instruction Fuzzy Hash: 32314D75B41218BBEB206BA55C4AFBF7EACFB45F50F110065FA00E71D1CBB06E00AA60

Function 00B11201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00B116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B1170D
Part of subcall function 00B116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B1173A
Part of subcall function 00B116C3: GetLastError.KERNEL32 ref: 00B1174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B11286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B112A8
CloseHandle.KERNEL32(?), ref: 00B112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B112D1
GetProcessWindowStation.USER32 ref: 00B112EA
SetProcessWindowStation.USER32(00000000), ref: 00B112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B11310

Part of subcall function 00B110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B111FC), ref: 00B110D4
Part of subcall function 00B110BF: CloseHandle.KERNEL32(?,?,00B111FC), ref: 00B110E9

Strings

winsta0, xrefs: 00B112CC
, xrefs: 00B1125A
default, xrefs: 00B1130B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: c2e2ae48a41029a131374feb62c25988f4aeba5f5314adac319b99b0e3eccd12
Instruction ID: 2392ef1c2a83793056afd7f9d465c7134cd9cdc2300ce84cc3db97038216a2ae
Opcode Fuzzy Hash: c2e2ae48a41029a131374feb62c25988f4aeba5f5314adac319b99b0e3eccd12
Instruction Fuzzy Hash: 19818071900209AFDF109FA8DC49BEE7BB9FF05B04F144569FA11B6260D7718A84CF61

Function 00B10B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B11114
Part of subcall function 00B110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11120
Part of subcall function 00B110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B1112F
Part of subcall function 00B110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11136
Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B10BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B10C00
GetLengthSid.ADVAPI32(?), ref: 00B10C17
GetAce.ADVAPI32(?,00000000,?), ref: 00B10C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B10C6D
GetLengthSid.ADVAPI32(?), ref: 00B10C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B10C8C
HeapAlloc.KERNEL32(00000000), ref: 00B10C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B10CB4
CopySid.ADVAPI32(00000000), ref: 00B10CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B10CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B10D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B10D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10D45
HeapFree.KERNEL32(00000000), ref: 00B10D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10D55
HeapFree.KERNEL32(00000000), ref: 00B10D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10D65
HeapFree.KERNEL32(00000000), ref: 00B10D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B10D78
HeapFree.KERNEL32(00000000), ref: 00B10D7F

Part of subcall function 00B11193: GetProcessHeap.KERNEL32(00000008,00B10BB1,?,00000000,?,00B10BB1,?), ref: 00B111A1
Part of subcall function 00B11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B10BB1,?), ref: 00B111A8
Part of subcall function 00B11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B10BB1,?), ref: 00B111B7

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7468d77fb563ebd573150d122f8e12cb250749da67207789fec75acb0ebc08f8
Instruction ID: 21f06afb69de3fac7a3297979e1628572c4deac2af14d12a45e46b6b6852a3f5
Opcode Fuzzy Hash: 7468d77fb563ebd573150d122f8e12cb250749da67207789fec75acb0ebc08f8
Instruction Fuzzy Hash: 1671A07590120AABDF10EFE4DC44FEEBBB8FF05700F5445A5E914A7250DBB1AA85CB60

Function 00B2EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B4CC08), ref: 00B2EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B2EB37
GetClipboardData.USER32(0000000D), ref: 00B2EB43
CloseClipboard.USER32 ref: 00B2EB4F
GlobalLock.KERNEL32(00000000), ref: 00B2EB87
CloseClipboard.USER32 ref: 00B2EB91
GlobalUnlock.KERNEL32(00000000), ref: 00B2EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00B2EBC9
GetClipboardData.USER32(00000001), ref: 00B2EBD1
GlobalLock.KERNEL32(00000000), ref: 00B2EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00B2EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B2EC38
GetClipboardData.USER32(0000000F), ref: 00B2EC44
GlobalLock.KERNEL32(00000000), ref: 00B2EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B2EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B2EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B2ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00B2ECF3
CountClipboardFormats.USER32 ref: 00B2ED14
CloseClipboard.USER32 ref: 00B2ED59

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9aff82257d2e85a394fb2c9b5096ea2ba9f7f434bcfcf07fe36d82f533cf4a17
Instruction ID: 377a5c8a726fa037bcc5c677fcb00e0fe626b0c64e16594a57c6eb514b2d8b52
Opcode Fuzzy Hash: 9aff82257d2e85a394fb2c9b5096ea2ba9f7f434bcfcf07fe36d82f533cf4a17
Instruction Fuzzy Hash: E961E034204201AFD300EF65E888F6A7BE8FF85B54F144599F46A872A2CF71DE05CB62

Function 00B2698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B269BE
FindClose.KERNEL32(00000000), ref: 00B26A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B26A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B26A75

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B26AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B26ADF

Strings

%02d, xrefs: 00B26C00, 00B26C0A, 00B26C5A, 00B26CAA, 00B26CFA, 00B26D4A
%4d, xrefs: 00B26BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00B26B32
%4d%02d%02d%02d%02d%02d, xrefs: 00B26B6A
%03d, xrefs: 00B26DA2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6e9edbf3defe77411e5aca9d2ed26f7a060358a6edb448c6a0cb602b86888123
Instruction ID: 978141ff811e0e191b89476b901800e67bab5281bf347153da87c73e876cf6de
Opcode Fuzzy Hash: 6e9edbf3defe77411e5aca9d2ed26f7a060358a6edb448c6a0cb602b86888123
Instruction Fuzzy Hash: 8CD16172508340AFC310EBA4D982EAFB7ECAF89704F04495DF589D7192EB75DA44CB62

Function 00B29642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B29663
GetFileAttributesW.KERNEL32(?), ref: 00B296A1
SetFileAttributesW.KERNEL32(?,?), ref: 00B296BB
FindNextFileW.KERNEL32(00000000,?), ref: 00B296D3
FindClose.KERNEL32(00000000), ref: 00B296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00B296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00B2974A
SetCurrentDirectoryW.KERNEL32(00B76B7C), ref: 00B29768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B29772
FindClose.KERNEL32(00000000), ref: 00B2977F
FindClose.KERNEL32(00000000), ref: 00B2978F

Strings

*.*, xrefs: 00B296F5

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 457b5a4328516c7cb16e07dd7cf78564a5fac54063c427714faa38b862ed361c
Instruction ID: d8b8a14cd5f7200f26a6a2b5d366da21ee3c676c7020d934f818302b741ac5d8
Opcode Fuzzy Hash: 457b5a4328516c7cb16e07dd7cf78564a5fac54063c427714faa38b862ed361c
Instruction Fuzzy Hash: 2231F3365016296BDB14AFB4EC49ADE3BECEF0A720F104196F91DE31A0DB70DE448A14

Function 00B2979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00B29819
FindClose.KERNEL32(00000000), ref: 00B29824
FindFirstFileW.KERNEL32(*.*,?), ref: 00B29840
SetCurrentDirectoryW.KERNEL32(?), ref: 00B29890
SetCurrentDirectoryW.KERNEL32(00B76B7C), ref: 00B298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B298B8
FindClose.KERNEL32(00000000), ref: 00B298C5
FindClose.KERNEL32(00000000), ref: 00B298D5

Part of subcall function 00B1DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B1DB00

Strings

*.*, xrefs: 00B2983B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3845af7bbdf966603016160dd0e1acf2c7b2adf62bae26b2f20bacb0ba8fdf25
Instruction ID: ec0ef97ae83ad72b5a0d1bf3ae7b0e75f8bc80721238c9d09e37a71d43939b23
Opcode Fuzzy Hash: 3845af7bbdf966603016160dd0e1acf2c7b2adf62bae26b2f20bacb0ba8fdf25
Instruction Fuzzy Hash: CA3103315016296ADB14EFB4EC48ADE37ECEF06760F1841E6E81CE71E0DB70DE448A24

Function 00B3BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00B3BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00B3BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B3C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B3C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B3C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B3C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00B3C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B3C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B3C382
RegCloseKey.ADVAPI32(00000000), ref: 00B3C38F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: cb9eef02afabced3f955590e2b14525b54045a54dc43d2c819307b3c6233806a
Instruction ID: 42fa5f993d1facab51000f7732299b40afa4ce380925fbf56066be4e22a7d115
Opcode Fuzzy Hash: cb9eef02afabced3f955590e2b14525b54045a54dc43d2c819307b3c6233806a
Instruction Fuzzy Hash: E9025E716042009FC714DF68C891E2ABBE5EF89314F28C49DF84ADB2A2DB31ED45CB52

Function 00B1D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2

Part of subcall function 00B1E199: GetFileAttributesW.KERNEL32(?,00B1CF95), ref: 00B1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B1D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B1D1DD
MoveFileW.KERNEL32(?,?), ref: 00B1D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B1D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B1D237

Part of subcall function 00B1D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B1D21C,?,?), ref: 00B1D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00B1D253
FindClose.KERNEL32(00000000), ref: 00B1D264

Strings

\*.*, xrefs: 00B1D0CD, 00B1D0D6, 00B1D0EB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c6b103d50508b341ae97e4337c3851acb705990d104b2cc930d3b383300f89ee
Instruction ID: 5c6ca75dcec96c8a356a3ef114b25828f5b74fc4f74146e870bfbd366f320b14
Opcode Fuzzy Hash: c6b103d50508b341ae97e4337c3851acb705990d104b2cc930d3b383300f89ee
Instruction Fuzzy Hash: 5E615E3180110DAFCF05EBE0DA929EEBBB9AF15300F6441A9E41577192EB31AF49DB61

Function 00B2ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B2ED91
EmptyClipboard.USER32 ref: 00B2ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00B2EDAC
CloseClipboard.USER32 ref: 00B2EEA3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 273acb1cd91856745e1cd497faae389c63a5dd0fc05ed7a967320b4f6a065562
Instruction ID: 4aaa4ef1ccee2ae6d32795d3f816f3e068c0969a2c470d672912318212dec13f
Opcode Fuzzy Hash: 273acb1cd91856745e1cd497faae389c63a5dd0fc05ed7a967320b4f6a065562
Instruction Fuzzy Hash: 7141D035205621AFD320DF16E888F69BBE5FF45328F15C099E4298B762CB71ED42CB90

Function 00B1E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B1170D
Part of subcall function 00B116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B1173A
Part of subcall function 00B116C3: GetLastError.KERNEL32 ref: 00B1174A

ExitWindowsEx.USER32(?,00000000), ref: 00B1E932

Strings

, xrefs: 00B1E920
, xrefs: 00B1E95C
SeShutdownPrivilege, xrefs: 00B1E902
@, xrefs: 00B1E925

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 67529d0278279fad1e3c653f25478fed4e0eeb8c98e28e63c22a86247da39aae
Instruction ID: d93d2e818bf90a6afe9ad7bc78d30cf2a54ce2b4775ee6be9ed0cfeaca083b83
Opcode Fuzzy Hash: 67529d0278279fad1e3c653f25478fed4e0eeb8c98e28e63c22a86247da39aae
Instruction Fuzzy Hash: 40012B32610311ABEB5426749C8ABFF72DCEB18780F5448A2FD23E31D1DAB59DC081A4

Function 00B31204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B31276
WSAGetLastError.WSOCK32 ref: 00B31283
bind.WSOCK32(00000000,?,00000010), ref: 00B312BA
WSAGetLastError.WSOCK32 ref: 00B312C5
closesocket.WSOCK32(00000000), ref: 00B312F4
listen.WSOCK32(00000000,00000005), ref: 00B31303
WSAGetLastError.WSOCK32 ref: 00B3130D
closesocket.WSOCK32(00000000), ref: 00B3133C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9c561f67375a1e24c6fc76d9e228da72de3269a21a8be678c9cc28f9c36f18ab
Instruction ID: 89b5417981b660b512fdc06d6485292537788afbe56e111f2188c630c4a14986
Opcode Fuzzy Hash: 9c561f67375a1e24c6fc76d9e228da72de3269a21a8be678c9cc28f9c36f18ab
Instruction Fuzzy Hash: 3F4182356001009FD710DF28C984B6ABBE9FF46714F2885C8E8569F296C771ED81CBA1

Function 00B1D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2

Part of subcall function 00B1E199: GetFileAttributesW.KERNEL32(?,00B1CF95), ref: 00B1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B1D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B1D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B1D481
FindClose.KERNEL32(00000000), ref: 00B1D498
FindClose.KERNEL32(00000000), ref: 00B1D4A1

Strings

\*.*, xrefs: 00B1D3F2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: b0a001aaa05526d149762c8e17e7646b8c081871ef3971e6f6c3ef6934869293
Instruction ID: 6f91aa80584e50e5382e20a318a68283141bba032b476f2b5a4768718d448db3
Opcode Fuzzy Hash: b0a001aaa05526d149762c8e17e7646b8c081871ef3971e6f6c3ef6934869293
Instruction Fuzzy Hash: 9C318031009341ABC304EF64D9919EFBBECBE96300F844A5DF4D593292EB70AA49D763

Function 00AEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00AEE645

Strings

1#INF, xrefs: 00AEF852
1#IND, xrefs: 00AEF83D
1#QNAN, xrefs: 00AEF84B
1#SNAN, xrefs: 00AEF844

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 30319e50bb5206eafdc7775e295c7493d6f4b4128a4d0de465b6acc5a1898966
Instruction ID: 8d24adfea5de6f96f5dc3478983156d2069421c6bd4d628318861e236add4500
Opcode Fuzzy Hash: 30319e50bb5206eafdc7775e295c7493d6f4b4128a4d0de465b6acc5a1898966
Instruction Fuzzy Hash: ABC25B71E086698FDB25CF29DD407EAB7B5EB48305F1441EAD84EE7280E775AE818F40

Function 00B2648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B264DC
CoInitialize.OLE32(00000000), ref: 00B26639
CoCreateInstance.OLE32(00B4FCF8,00000000,00000001,00B4FB68,?), ref: 00B26650
CoUninitialize.OLE32 ref: 00B268D4

Strings

.lnk, xrefs: 00B264BA, 00B26524, 00B265E0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 794d75333101f0f4f173dee7dc91e5ba57969a1d6bab9b421f0d1f1169e4fd49
Instruction ID: d98dee484fc54776d605a31862f2d46a9c42133b620dd1bb0655b6950a998412
Opcode Fuzzy Hash: 794d75333101f0f4f173dee7dc91e5ba57969a1d6bab9b421f0d1f1169e4fd49
Instruction Fuzzy Hash: 26D15971508311AFC304EF24C9819ABB7E8FF94704F10496DF5998B2A2EB71ED05CBA2

Function 00B322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00B322E8

Part of subcall function 00B2E4EC: GetWindowRect.USER32(?,?), ref: 00B2E504

GetDesktopWindow.USER32 ref: 00B32312
GetWindowRect.USER32(00000000), ref: 00B32319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B32355
GetCursorPos.USER32(?), ref: 00B32381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B323DF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: bed7446012936dbf4b50a3dc6082278029175c5fcc659074840f5a0bab4a026b
Instruction ID: 87f874a9e37411869da50dfa05d2e0820f1386ee942cafe81503335a60efa44e
Opcode Fuzzy Hash: bed7446012936dbf4b50a3dc6082278029175c5fcc659074840f5a0bab4a026b
Instruction Fuzzy Hash: B3313132505315AFCB20DF14D849F9BBBE9FF84710F100919F999A7181CB30EA08CB92

Function 00B29B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B29B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B29C8B

Part of subcall function 00B23874: GetInputState.USER32 ref: 00B238CB
Part of subcall function 00B23874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B23966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B29BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B29C75

Strings

*.*, xrefs: 00B29B5D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ef403f75dcaed3a4a201a653c63ef354f6356f250f406b9d52028e9a80a49f23
Instruction ID: 1fd0455bb884006c2f1698d13562ba8a4c484b07f970f27914391d9909684086
Opcode Fuzzy Hash: ef403f75dcaed3a4a201a653c63ef354f6356f250f406b9d52028e9a80a49f23
Instruction Fuzzy Hash: 52416071905219AFDF55DFA4D989AEE7BF8FF05310F24409AE409A6191EB309E84CF60

Function 00AC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AC9A4E
GetSysColor.USER32(0000000F), ref: 00AC9B23
SetBkColor.GDI32(?,00000000), ref: 00AC9B36

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 41827d727d60b26afb0c80d0c750eccaf2376a5195e555d325a3ec3889406c50
Instruction ID: 377dfdc701e0c792a8ea6afe4850908963df7c044ef1d0e85f770a03fd5b2425
Opcode Fuzzy Hash: 41827d727d60b26afb0c80d0c750eccaf2376a5195e555d325a3ec3889406c50
Instruction Fuzzy Hash: D8A11B71549444BEE7259B2C8C8DF7B6AEDEB42380F16418DF402DA5E1CE25AE02D375

Function 00B31806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B3307A
Part of subcall function 00B3304E: _wcslen.LIBCMT ref: 00B3309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B3185D
WSAGetLastError.WSOCK32 ref: 00B31884
bind.WSOCK32(00000000,?,00000010), ref: 00B318DB
WSAGetLastError.WSOCK32 ref: 00B318E6
closesocket.WSOCK32(00000000), ref: 00B31915

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c074e8a7b7eec98129918450823d7eb4e8033ebb4b60d57ce60f706368d74265
Instruction ID: 809fd22259a827bfa46df0c3f9d5f0b2badcc21f8008f65aee5e2ff2d3463d09
Opcode Fuzzy Hash: c074e8a7b7eec98129918450823d7eb4e8033ebb4b60d57ce60f706368d74265
Instruction Fuzzy Hash: CC51B375A00200AFDB10AF24C986F7A77E9EB45718F18859CF9065F3D3CB75AD418BA1

Function 00B41C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B41CC0
IsWindowEnabled.USER32 ref: 00B41CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00B41CDB
IsIconic.USER32 ref: 00B41CE9
IsZoomed.USER32 ref: 00B41CF7

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e1424bc03e06ef181c2d5ecac086d43464858795790aeffe8cf15d566eba3970
Instruction ID: 5af4590a94eaa8ed13999444a3f4f15e860e02afb526ab1d7c5e62e679fe07ac
Opcode Fuzzy Hash: e1424bc03e06ef181c2d5ecac086d43464858795790aeffe8cf15d566eba3970
Instruction Fuzzy Hash: 4821D631B412105FD7208F2EDC84B6A7BE5FF85715B1984A8E8458F352CB71DE82DB90

Function 00AB8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00AB843C
VUUU, xrefs: 00AB83FA
VUUU, xrefs: 00AB83E8
VUUU, xrefs: 00AF5DF0
ERCP, xrefs: 00AB813C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1c5d0364e98c165394fcd2af8df760a2ef3fd188e206eba06d573a192e53764f
Instruction ID: d1e8a0ae84389079bdbf6cfbf6ee48b4e3fc3744657e87bb0278103c1308de1e
Opcode Fuzzy Hash: 1c5d0364e98c165394fcd2af8df760a2ef3fd188e206eba06d573a192e53764f
Instruction Fuzzy Hash: 5EA26D70E0061ACBDF24CF98C9507FDB7B9BF54314F2481A9EA15AB286EB749D81CB50

Function 00B1AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B1AAAC
SetKeyboardState.USER32(00000080), ref: 00B1AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B1AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B1AB88

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6d86a283ab153ba51fb7304f63341be8d131bf0c1fb03478a82581b0a46145c6
Instruction ID: 5806d2c6d30066e5b4bb83b9ee3ae010e63598ce5da010d3219533ed4246b893
Opcode Fuzzy Hash: 6d86a283ab153ba51fb7304f63341be8d131bf0c1fb03478a82581b0a46145c6
Instruction Fuzzy Hash: DC314870A46288AEFB30CB64CC05BFB7BE6EF45310F84429AF181521D0C374AAC1C762

Function 00AEBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AEBB7F

Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0

GetTimeZoneInformation.KERNEL32 ref: 00AEBB91
WideCharToMultiByte.KERNEL32(00000000,?,00B8121C,000000FF,?,0000003F,?,?), ref: 00AEBC09
WideCharToMultiByte.KERNEL32(00000000,?,00B81270,000000FF,?,0000003F,?,?,?,00B8121C,000000FF,?,0000003F,?,?), ref: 00AEBC36

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 2bc3747fd59497b10ad2084bf573bbe26c6f7b9728a73bec680c032093a2fdac
Instruction ID: 26b1dda9c24d3e79325c1a2129b4282e79bc47252a15caa9b52fb31c3ba35322
Opcode Fuzzy Hash: 2bc3747fd59497b10ad2084bf573bbe26c6f7b9728a73bec680c032093a2fdac
Instruction Fuzzy Hash: 2231C671909285DFCB11DF6ADC8596EBBBCFF85710B24469AE054DB2B1DB309E02CB60

Function 00B2CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00B2CE89
GetLastError.KERNEL32(?,00000000), ref: 00B2CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00B2CEFE

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 93d7c774e05317e08e746ad313187fc67a133919c9d5e30ef641dacb1f0c4a2e
Instruction ID: bd01d2997ba72385a178536661a65f4a31be882efa58f729cdcecfe22e6894bb
Opcode Fuzzy Hash: 93d7c774e05317e08e746ad313187fc67a133919c9d5e30ef641dacb1f0c4a2e
Instruction Fuzzy Hash: E921CFB15007159BDB20EFA5EA88BAB7BFCEB00758F10445EE54AD2151EB74EE098B50

Function 00B18298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B182AA

Strings

|, xrefs: 00B182DA
(, xrefs: 00B182F0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3fe6328ed2c2b4e072d85e5dfa5089542fef73cb95fa746ae8ded15b745e1218
Instruction ID: c98c56f71d371ae1260ffe71335c502816c03a8abf683fe8403d4f9a23e29e15
Opcode Fuzzy Hash: 3fe6328ed2c2b4e072d85e5dfa5089542fef73cb95fa746ae8ded15b745e1218
Instruction Fuzzy Hash: 75323875A007059FC728CF19D0809AAB7F1FF48710B55C5AEE49ADB3A1EB70E981CB44

Function 00B25C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B25CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00B25D17
FindClose.KERNEL32(?), ref: 00B25D5F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f587996ed930551550ec06f3795b69e5f48f3479f1119f80a29b332de789fd4b
Instruction ID: a8778947b805cce3238a35d2cbf13c975ed9a511029beec1766272b0c8b707d8
Opcode Fuzzy Hash: f587996ed930551550ec06f3795b69e5f48f3479f1119f80a29b332de789fd4b
Instruction Fuzzy Hash: 3D519934604A019FC724CF28D494E9AB7E4FF49324F1485AEE95A8B3A2DB30ED45CF91

Function 00AE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00AE271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AE2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00AE2731

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4141fef7a62390cd4ad881b2af5b806ac41f53d9d969570784c2966bc4315164
Instruction ID: 26e90a6006fec188a9dce4cb45f54569855c203fcd5c85059b404379314d0362
Opcode Fuzzy Hash: 4141fef7a62390cd4ad881b2af5b806ac41f53d9d969570784c2966bc4315164
Instruction Fuzzy Hash: F231D5749012189BCB21DF64DD88BDDBBB8BF08750F5041EAE40CA7260EB709F818F44

Function 00B251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B25238
SetErrorMode.KERNEL32(00000000), ref: 00B252A1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6eac1137b9081d23797d701284c2ab731cad2f0c1e5fcc9d3f00469cbcb1c973
Instruction ID: 383090690ebd625adb4fcc08ce397e0430b0a0db667c4d63cd5099b4a6365354
Opcode Fuzzy Hash: 6eac1137b9081d23797d701284c2ab731cad2f0c1e5fcc9d3f00469cbcb1c973
Instruction Fuzzy Hash: B1314C75A00618DFDB00DF54D884EADBBF4FF49314F148099E809AB3A2DB31E955CB90

Function 00B116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00ACFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AD0668
Part of subcall function 00ACFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AD0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B1170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B1173A
GetLastError.KERNEL32 ref: 00B1174A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f452bd526f4361f85c621623cfa72d9efbd9d4d1862169dd014b481f5389932e
Instruction ID: 6896f920bdbf75113cce485ad984cfe80bf2d6fe4e7496d6536ba79e25b7365d
Opcode Fuzzy Hash: f452bd526f4361f85c621623cfa72d9efbd9d4d1862169dd014b481f5389932e
Instruction Fuzzy Hash: CF11C1B2400304AFD7189F54DCC6EAABBF9FB04714B20856EE05657291EB70BC818A24

Function 00B1D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B1D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B1D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B1D650

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0e9a2ba3bcff6e2701e34bbf6fe3bd87a04c6015827d6692d99c9f8b4720d11d
Instruction ID: 091708a47fbb32750fd9cfdb1631cb6ba504ee86846fb61e4a8e5c8d4d241ba6
Opcode Fuzzy Hash: 0e9a2ba3bcff6e2701e34bbf6fe3bd87a04c6015827d6692d99c9f8b4720d11d
Instruction Fuzzy Hash: CE113C75E05228BBDB208F999C45FAFBFBCEB46B50F108155F904E7290D6B05A058BA1

Function 00B11663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B1168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B116A1
FreeSid.ADVAPI32(?), ref: 00B116B1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5fece2eac7548509a2f91fa8da064e0b73ffaec1587f741e3779baaf85c0bb7c
Instruction ID: 0f35468562305215cca28c26d6a2a37962932eb687cf03b462c09e82df4d3576
Opcode Fuzzy Hash: 5fece2eac7548509a2f91fa8da064e0b73ffaec1587f741e3779baaf85c0bb7c
Instruction Fuzzy Hash: D4F0F475A51309FBDB00DFE49C89AAEBBBCFB08605F5049A5E501E2281E774AA448A54

Function 00ADCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 60bd4f9d61c20c4e40f39090ef4c0f3c26ee30c45c41ad2dd44b5f95c368f28b
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 1E021E71E0021A9FDF14CFA9C9806ADFBF1EF48324F65416AD91AE7384D731AA41CB94

Function 00B268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B26918
FindClose.KERNEL32(00000000), ref: 00B26961

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 279dff4990d09f56c19b9042e7c77dcc07792058925189147f77a9e9abbaa29b
Instruction ID: c090da4702aac84b82b4bb546c4b60d5cd2df2905802539f3a0fff1f88002de5
Opcode Fuzzy Hash: 279dff4990d09f56c19b9042e7c77dcc07792058925189147f77a9e9abbaa29b
Instruction Fuzzy Hash: CD11D0356042109FC710CF29D488A26BBE4FF89328F04C699F4698F2A2CB70EC45CB90

Function 00B237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B34891,?,?,00000035,?), ref: 00B237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B34891,?,?,00000035,?), ref: 00B237F4

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e0db6b9266eea740af242633c0b32eed6aa576b436fbefd8ee787a4d3d611716
Instruction ID: 6e4bf47cafe063beaac734bba219909bb35aec8216c3c350ab21d50473a9442e
Opcode Fuzzy Hash: e0db6b9266eea740af242633c0b32eed6aa576b436fbefd8ee787a4d3d611716
Instruction Fuzzy Hash: 46F0EC746052286BDB5017A65D4DFEB3ADDEFC5B61F000165F509D3191D9609D04C7B1

Function 00B1B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B1B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00B1B270

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c855308661696165d0a39a7e154993ea14a226a41854c2d370df8399f55afe65
Instruction ID: 63c5cc5576fe3510fdf2743f0ea6a3d625ad7bdd8b4ffc56ba92e71544f4b0ce
Opcode Fuzzy Hash: c855308661696165d0a39a7e154993ea14a226a41854c2d370df8399f55afe65
Instruction Fuzzy Hash: BBF0677480428EABDB058FA0C806BEE7FB0FF08309F00804AF961A61A2C77986059F94

Function 00B110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B111FC), ref: 00B110D4
CloseHandle.KERNEL32(?,?,00B111FC), ref: 00B110E9

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 4ed210ff4880f9e53d079a9898515ff8211c677e5a471799d665460d7fef994c
Instruction ID: 056d137fa65d28ce783bf8c90d8a048bf4d04215e0ce6d72744c68fd48db84eb
Opcode Fuzzy Hash: 4ed210ff4880f9e53d079a9898515ff8211c677e5a471799d665460d7fef994c
Instruction Fuzzy Hash: BBE04F32005610AEE7252B15FC09F737BE9FB04710B10882DF5A6814B1DB626C90DB14

Function 00ABCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00B00C40

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a1574f45b732a38b0c08860813baef263583ccc1627222b7cf2124b03723a43f
Instruction ID: 2cea1af7d017262117ccd1cadc2371f6c607e0f279a3c44d0a5e74072926cbbc
Opcode Fuzzy Hash: a1574f45b732a38b0c08860813baef263583ccc1627222b7cf2124b03723a43f
Instruction Fuzzy Hash: 0A328A34910218DBCF14EF94C981FEDBBB9FF15314F1480A9E806AB292DB75AE45CB60

Function 00AE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AE6766,?,?,00000008,?,?,00AEFEFE,00000000), ref: 00AE6998

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4cca42c8ce9e72f99a58cf7778bea8a5ef544e0391cac78c14571f40180aa7e0
Instruction ID: d888daa2dd87c5fea7deb83111e62ca4a6d62100863531861e94f216f8069900
Opcode Fuzzy Hash: 4cca42c8ce9e72f99a58cf7778bea8a5ef544e0391cac78c14571f40180aa7e0
Instruction Fuzzy Hash: 1FB15A71610648DFD719CF29C48AB657BF0FF553A4F298A58E899CF2A2C335E981CB40

Function 00ACB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00B0851F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c9857ca83bf8600f92f27d7e9eee5c09e4c6fc855eb90af4a8eb2867e687f4a8
Instruction ID: 22bca97e9af321e3ee90d861896a39f8c0d528ba758f5cbf9a616e0908610da7
Opcode Fuzzy Hash: c9857ca83bf8600f92f27d7e9eee5c09e4c6fc855eb90af4a8eb2867e687f4a8
Instruction Fuzzy Hash: F3124075910229DBCB14CF58C981BEEB7F5FF48710F15819AE849EB291DB319A81CFA0

Function 00B2EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B2EABD

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 86d29acdd4b97d2fcad80d1cb3c9f5323d39c84feb464daf650811d4fcb0ccb7
Instruction ID: 9c070dad6e894f70342bee9c10506fa42bae67dbcbc7ed87334045ddd970d470
Opcode Fuzzy Hash: 86d29acdd4b97d2fcad80d1cb3c9f5323d39c84feb464daf650811d4fcb0ccb7
Instruction Fuzzy Hash: 87E012352102149FC710DF5AD444D9AB7EDAF59760F00845AFC4AC7251DB70E8408B91

Function 00AD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00AD03EE), ref: 00AD09DA

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8ef84a580350c3c3f52d9ff120bad5612792c1ec050bec296436f866661499d9
Instruction ID: 186876142a242024687668bca15dedc64fe8eb2930b32d85624582742d26bb76
Opcode Fuzzy Hash: 8ef84a580350c3c3f52d9ff120bad5612792c1ec050bec296436f866661499d9
Instruction Fuzzy Hash:

Function 00AD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00AD798B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 263d2c0ad9bdeaf1229c24e67fc10a5ed890e3232fd7c9547b6abc9979b4c195
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4B51557260C7455BDB3C8768896EBBE73A99B02340F18050BD887D7392FA15EE81E356

Function 00AE6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1ed224d9c73ec8d027e60f8307d5adcfd3fd5706500b29a81e582ced729234
Instruction ID: f1581f80d345ef3572ed012cfb26798f318b2ffbffbf18f601700a30da9e8765
Opcode Fuzzy Hash: 4e1ed224d9c73ec8d027e60f8307d5adcfd3fd5706500b29a81e582ced729234
Instruction Fuzzy Hash: 9E323522D29F814DD7239635DC223396259AFB73C6F25D737E81AB69A5EF29C4C34100

Function 00ACCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218f90f85061d76d837fe81d4e533d7d3701c02d8b7f1901f5cdc74e1cf46c14
Instruction ID: 3d99d18263d7db5a1c40ce56ab7facaac186dcd8e643d3b50f0767a5a6d71e2b
Opcode Fuzzy Hash: 218f90f85061d76d837fe81d4e533d7d3701c02d8b7f1901f5cdc74e1cf46c14
Instruction Fuzzy Hash: E232C032A041198BDF28CB29C4D4B7D7FE1EB45310F2986AAD89ADB2D5D730DD81EB41

Function 00AB7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce6867e7e3c14aaacf4a970a95e5976ac1f743c10a31713ca5a80779f6e16b1
Instruction ID: 5838f57ad635cd70711d7305c5ffc1da8204c6c5d5c391ba72186ee690a0172f
Opcode Fuzzy Hash: 5ce6867e7e3c14aaacf4a970a95e5976ac1f743c10a31713ca5a80779f6e16b1
Instruction Fuzzy Hash: CD229F70E046099FDF14CFA8C981AEEB7F6FF44300F244629E916AB292EB759D51CB50

Function 00AB91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021a1efbad4a35833d802e328ba4ee37662a8526e501982b9102f3d1c6518842
Instruction ID: 9d3f884bb3a6b60f2faca6eeca7c38864270ca3b66ad0a0eb8aa24000cf2dbfb
Opcode Fuzzy Hash: 021a1efbad4a35833d802e328ba4ee37662a8526e501982b9102f3d1c6518842
Instruction Fuzzy Hash: 7D02C6B0E00209EFDB04DF54D981BAEB7B5FF44340F118169F9169B2A1EB31AE61CB91

Function 00AE9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c511e203860bfa2a09e57ef8d179867c16c3977b83d3a536011cf817783de0
Instruction ID: a06a39064ff8aa8f567355b2c856257f8266b11396d1393051cb03b3febc8ecc
Opcode Fuzzy Hash: b4c511e203860bfa2a09e57ef8d179867c16c3977b83d3a536011cf817783de0
Instruction Fuzzy Hash: 1FB1F120D2AF414DD32396398831336B69CAFBB6D6F91D75BFC1675E22EF2286834140

Function 00AD1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: fbb0d8269d2e10fbe38a24b57b7040d5e783a41b591118564e3db2bc1c832425
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: FD9155726080A35ADB29473A857447EFFF15A923A131A079FD4F3CA2C5FE249A64D620

Function 00AD19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4b5845c95e447ddc554cce2d1f8f2e74d6573e299717b60003d48de56a2b4760
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 429130722090A35EDB2D477A857403EFFF15A923A231A079FD4F3CA2D5FE249664D620

Function 00AD7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e96fc5bf80ae0f804020db4446745e2f1b34aa2a8994faa465bbcee7210f535
Instruction ID: d4f14368d2e1225ce4bfbb3913bafea77e3eb3066f73a3b9cc2cb4d2c11ea098
Opcode Fuzzy Hash: 8e96fc5bf80ae0f804020db4446745e2f1b34aa2a8994faa465bbcee7210f535
Instruction Fuzzy Hash: 4461367160870996DB3C9B288DA6BBE73A4EF41740F64091BE883DB3A1FA15DE428355

Function 00AD7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e589815f369b21914beba8b6a1b4538df2859fcc408f75e0deb994701d4f60
Instruction ID: 70054b5e0d9f8a952fec7f27f27a4fa430675ad54f41eed6efe42e69343921ee
Opcode Fuzzy Hash: 56e589815f369b21914beba8b6a1b4538df2859fcc408f75e0deb994701d4f60
Instruction Fuzzy Hash: 0761697160870957DE3C8B288956BBF73A6EF42704F10095BE9C3DB381FE16ED428A55

Function 00AD1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 891a031759174e6424de4ef0d55a29e2cf35b390cf48801f8c5beb796cd5e7ee
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 708184726080A319EB2D877A857447EFFE15A923A131A079FD4F3CB3D1EE24C654E620

Function 00B22046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47050a65c8d34009a33602296303826b3e89d022a75f895a14aaa488f5d54bf
Instruction ID: 4af10b42ee49ea4a2f04c7ede36539d5b74a6cd8fbe7d7c2113d5bff9bb56049
Opcode Fuzzy Hash: d47050a65c8d34009a33602296303826b3e89d022a75f895a14aaa488f5d54bf
Instruction Fuzzy Hash: DE21B7326206118BD728CF79C82367E73E5E754310F15866EE4A7C77D0DE39A904CB80

Function 00B32ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B32B30
DeleteObject.GDI32(00000000), ref: 00B32B43
DestroyWindow.USER32 ref: 00B32B52
GetDesktopWindow.USER32 ref: 00B32B6D
GetWindowRect.USER32(00000000), ref: 00B32B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B32CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B32CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32CF8
GetClientRect.USER32(00000000,?), ref: 00B32D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B32D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D80
GlobalLock.KERNEL32(00000000), ref: 00B32D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D98
GlobalUnlock.KERNEL32(00000000), ref: 00B32DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32DA8
GlobalFree.KERNEL32(00000000), ref: 00B32DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B4FC38,00000000), ref: 00B32DDB
GlobalFree.KERNEL32(00000000), ref: 00B32DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B32E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B32E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B3303F

Strings

, xrefs: 00B32FC5
DISPLAY, xrefs: 00B32EA2
static, xrefs: 00B32D3A, 00B32E91
AutoIt v3, xrefs: 00B32CF2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: defe7c3ab841723835d0d8ea138ef3805339ef00b920fe31866f428ad1539a4c
Instruction ID: 6fd404f091f1e23fdbbdd3467bd15820f7d9a1cb002938d85e21f728aadf825c
Opcode Fuzzy Hash: defe7c3ab841723835d0d8ea138ef3805339ef00b920fe31866f428ad1539a4c
Instruction Fuzzy Hash: 6E028C75901204AFDB14DFA4CD89EAE7BB9FF49710F108558F916AB2A1DB70AE01CB60

Function 00B470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B4712F
GetSysColorBrush.USER32(0000000F), ref: 00B47160
GetSysColor.USER32(0000000F), ref: 00B4716C
SetBkColor.GDI32(?,000000FF), ref: 00B47186
SelectObject.GDI32(?,?), ref: 00B47195
InflateRect.USER32(?,000000FF,000000FF), ref: 00B471C0
GetSysColor.USER32(00000010), ref: 00B471C8
CreateSolidBrush.GDI32(00000000), ref: 00B471CF
FrameRect.USER32(?,?,00000000), ref: 00B471DE
DeleteObject.GDI32(00000000), ref: 00B471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00B47230
FillRect.USER32(?,?,?), ref: 00B47262
GetWindowLongW.USER32(?,000000F0), ref: 00B47284

Part of subcall function 00B473E8: GetSysColor.USER32(00000012), ref: 00B47421
Part of subcall function 00B473E8: SetTextColor.GDI32(?,?), ref: 00B47425
Part of subcall function 00B473E8: GetSysColorBrush.USER32(0000000F), ref: 00B4743B
Part of subcall function 00B473E8: GetSysColor.USER32(0000000F), ref: 00B47446
Part of subcall function 00B473E8: GetSysColor.USER32(00000011), ref: 00B47463
Part of subcall function 00B473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B47471
Part of subcall function 00B473E8: SelectObject.GDI32(?,00000000), ref: 00B47482
Part of subcall function 00B473E8: SetBkColor.GDI32(?,00000000), ref: 00B4748B
Part of subcall function 00B473E8: SelectObject.GDI32(?,?), ref: 00B47498
Part of subcall function 00B473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B474B7
Part of subcall function 00B473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B474CE
Part of subcall function 00B473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B474DB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: dd4e04983f1fc7846fc9ecf7c6e676f29dbaa0eec8d0d5915d49bcf9caca7d08
Instruction ID: ac5adcdd073166674171f89bd6decaf6c5ae494b8fc07e6ae9f1e726fde39070
Opcode Fuzzy Hash: dd4e04983f1fc7846fc9ecf7c6e676f29dbaa0eec8d0d5915d49bcf9caca7d08
Instruction Fuzzy Hash: 5CA1A176009301BFD7509F60DC48E6B7BE9FB4A720F100A19F962A71E1DB70EA44DB52

Function 00AC8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00AC8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B06AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B06AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B06F43

Part of subcall function 00AC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AC8BE8,?,00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00AC8FC5

SendMessageW.USER32(?,00001053), ref: 00B06F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B06F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B06FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B06FB7

Strings

0, xrefs: 00B06DCF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 634bd314cc4227d929db833e12c2acdb2a8bad80c4143161a129e32d8243c6f5
Instruction ID: 6ceeb6abb6fb571ffd6e418d738d5b60d77f72b329e21afd176e8e28896b0999
Opcode Fuzzy Hash: 634bd314cc4227d929db833e12c2acdb2a8bad80c4143161a129e32d8243c6f5
Instruction Fuzzy Hash: A512BD34201211EFDB25CF18C884BAABBF5FB45700F1585ADF4958B2A2CB35ED62CB91

Function 00B32711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B3273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B3286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B32900
GetClientRect.USER32(00000000,?), ref: 00B3290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B32955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B32964
GetStockObject.GDI32(00000011), ref: 00B32974
SelectObject.GDI32(00000000,00000000), ref: 00B32978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B32988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B32991
DeleteDC.GDI32(00000000), ref: 00B3299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B32A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B32A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B32A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B32A77
GetStockObject.GDI32(00000011), ref: 00B32A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B32A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B32A97

Strings

msctls_progress32, xrefs: 00B32A13
DISPLAY, xrefs: 00B3295A
static, xrefs: 00B3294F, 00B32A71
AutoIt v3, xrefs: 00B328F8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: be966d20ac4279d6b4e690df91ce2db448eb28f5f705ef285f29487e04a43dca
Instruction ID: 1bab72f88fefa2ac75c14c14b3ed00bd56115dcbdced1e8f7c614f3baf68fc73
Opcode Fuzzy Hash: be966d20ac4279d6b4e690df91ce2db448eb28f5f705ef285f29487e04a43dca
Instruction Fuzzy Hash: 18B16C75A01215BFEB14DFA8CC4AEAE7BB9FB08710F108554F915E72A1DB70AD00CBA4

Function 00B24ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B24AED
GetDriveTypeW.KERNEL32(?,00B4CB68,?,\\.\,00B4CC08), ref: 00B24BCA
SetErrorMode.KERNEL32(00000000,00B4CB68,?,\\.\,00B4CC08), ref: 00B24D36

Strings

iSCSI, xrefs: 00B24CC2
SSD, xrefs: 00B24C4A
1394, xrefs: 00B24C9F
MMC, xrefs: 00B24CDE
RAMDisk, xrefs: 00B24BF4
Removable, xrefs: 00B24C10, 00B24C15
Network, xrefs: 00B24C02
SSA, xrefs: 00B24CA6
Fixed, xrefs: 00B24C09
FileBackedVirtual, xrefs: 00B24CEC
Unknown, xrefs: 00B24BED, 00B24C83
SATA, xrefs: 00B24CD0
SCSI, xrefs: 00B24C8A
CDROM, xrefs: 00B24BFB
PhysicalDrive, xrefs: 00B24B76
SAS, xrefs: 00B24CC9
Fibre, xrefs: 00B24CAD
\\.\, xrefs: 00B24B3F
USB, xrefs: 00B24CB4
RAID, xrefs: 00B24CBB
ATA, xrefs: 00B24C98
ATAPI, xrefs: 00B24C91
Virtual, xrefs: 00B24CE5

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d27c2e6d1a021e6d30bca3e5515a3442f93baf7f354ec50c8f1de5196b02e961
Instruction ID: a63b8c332f498feea6bd062facf5f036792786f48f50daddecce3efcad4df4ed
Opcode Fuzzy Hash: d27c2e6d1a021e6d30bca3e5515a3442f93baf7f354ec50c8f1de5196b02e961
Instruction Fuzzy Hash: 4F61D330605615AFCB15DF28EAC2DAD77F0EB05340B2080E6F81EABAA2DB31DD41DB41

Function 00B473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B47421
SetTextColor.GDI32(?,?), ref: 00B47425
GetSysColorBrush.USER32(0000000F), ref: 00B4743B
GetSysColor.USER32(0000000F), ref: 00B47446
CreateSolidBrush.GDI32(?), ref: 00B4744B
GetSysColor.USER32(00000011), ref: 00B47463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B47471
SelectObject.GDI32(?,00000000), ref: 00B47482
SetBkColor.GDI32(?,00000000), ref: 00B4748B
SelectObject.GDI32(?,?), ref: 00B47498
InflateRect.USER32(?,000000FF,000000FF), ref: 00B474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00B474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B4752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B47554
InflateRect.USER32(?,000000FD,000000FD), ref: 00B47572
DrawFocusRect.USER32(?,?), ref: 00B4757D
GetSysColor.USER32(00000011), ref: 00B4758E
SetTextColor.GDI32(?,00000000), ref: 00B47596
DrawTextW.USER32(?,00B470F5,000000FF,?,00000000), ref: 00B475A8
SelectObject.GDI32(?,?), ref: 00B475BF
DeleteObject.GDI32(?), ref: 00B475CA
SelectObject.GDI32(?,?), ref: 00B475D0
DeleteObject.GDI32(?), ref: 00B475D5
SetTextColor.GDI32(?,?), ref: 00B475DB
SetBkColor.GDI32(?,?), ref: 00B475E5

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c6e33a84709d30b3f1768dbb05cad158197f61157c898d0c4fa8677127291ce4
Instruction ID: 9fa062cdff53d55686512ce21435ae2c3fa6669276feeecfde3dc19a15b54e24
Opcode Fuzzy Hash: c6e33a84709d30b3f1768dbb05cad158197f61157c898d0c4fa8677127291ce4
Instruction Fuzzy Hash: 3D619A76901218AFDF009FA4DC49EAEBFB9FB09720F114155F911BB2A1DB709A40DF90

Function 00B40FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B41128
GetDesktopWindow.USER32 ref: 00B4113D
GetWindowRect.USER32(00000000), ref: 00B41144
GetWindowLongW.USER32(?,000000F0), ref: 00B41199
DestroyWindow.USER32(?), ref: 00B411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B4120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B4121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00B41232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B41245
IsWindowVisible.USER32(00000000), ref: 00B412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B412D0
GetWindowRect.USER32(00000000,?), ref: 00B412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00B4130E
GetMonitorInfoW.USER32(00000000,?), ref: 00B41328
CopyRect.USER32(?,?), ref: 00B4133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00B413AA

Strings

(, xrefs: 00B4131B
0, xrefs: 00B410D3
tooltips_class32, xrefs: 00B411E6

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3e91838ab177ae9a8475069c7a419fd07954c3993aaa35617e5d11bc37fb798b
Instruction ID: 88ea4c45949602ff9f9651811258dee732c502b6d85b113ed827d63a87dd7d3c
Opcode Fuzzy Hash: 3e91838ab177ae9a8475069c7a419fd07954c3993aaa35617e5d11bc37fb798b
Instruction Fuzzy Hash: DEB1AF71A04341AFD710DF68C984BAEBBE4FF84700F008958F9999B261CB71DD44DB62

Function 00AC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AC8968
GetSystemMetrics.USER32(00000007), ref: 00AC8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AC899B
GetSystemMetrics.USER32(00000008), ref: 00AC89A3
GetSystemMetrics.USER32(00000004), ref: 00AC89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AC89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AC89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AC8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AC8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00AC8A5A
GetStockObject.GDI32(00000011), ref: 00AC8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AC8A81

Part of subcall function 00AC912D: GetCursorPos.USER32(?), ref: 00AC9141
Part of subcall function 00AC912D: ScreenToClient.USER32(00000000,?), ref: 00AC915E
Part of subcall function 00AC912D: GetAsyncKeyState.USER32(00000001), ref: 00AC9183
Part of subcall function 00AC912D: GetAsyncKeyState.USER32(00000002), ref: 00AC919D

SetTimer.USER32(00000000,00000000,00000028,00AC90FC), ref: 00AC8AA8

Strings

AutoIt v3 GUI, xrefs: 00AC8A20

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 00304134994b84f90320fe39cd06e53903456132d4714b53754d6d015a1be4a9
Instruction ID: b1de9190a74412c392b2cabcb0de05b7fe0ed4d93de5af4ce0915bc979d48fe3
Opcode Fuzzy Hash: 00304134994b84f90320fe39cd06e53903456132d4714b53754d6d015a1be4a9
Instruction Fuzzy Hash: 17B18C35A01209AFDB14DFA8CC46FAE3BB5FB48714F114269FA15AB2A0DB34E941CB51

Function 00B10D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B11114
Part of subcall function 00B110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11120
Part of subcall function 00B110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B1112F
Part of subcall function 00B110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11136
Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B10DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B10E29
GetLengthSid.ADVAPI32(?), ref: 00B10E40
GetAce.ADVAPI32(?,00000000,?), ref: 00B10E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B10E96
GetLengthSid.ADVAPI32(?), ref: 00B10EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B10EB5
HeapAlloc.KERNEL32(00000000), ref: 00B10EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B10EDD
CopySid.ADVAPI32(00000000), ref: 00B10EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B10F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B10F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B10F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10F6E
HeapFree.KERNEL32(00000000), ref: 00B10F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10F7E
HeapFree.KERNEL32(00000000), ref: 00B10F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10F8E
HeapFree.KERNEL32(00000000), ref: 00B10F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00B10FA1
HeapFree.KERNEL32(00000000), ref: 00B10FA8

Part of subcall function 00B11193: GetProcessHeap.KERNEL32(00000008,00B10BB1,?,00000000,?,00B10BB1,?), ref: 00B111A1
Part of subcall function 00B11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B10BB1,?), ref: 00B111A8
Part of subcall function 00B11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B10BB1,?), ref: 00B111B7

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3dfa5827f1f22dd635d4de4c2b34365f0f280cbe64c138ac1607e66ddd012869
Instruction ID: 21b619e36c59579fd32980354efc534a9ff5fd48221f5f85b5b781d258aaf6a5
Opcode Fuzzy Hash: 3dfa5827f1f22dd635d4de4c2b34365f0f280cbe64c138ac1607e66ddd012869
Instruction Fuzzy Hash: B371AF7290120AEBDF20AFA4DC45FEEBBB8FF06700F144155F958A7290DB709A85CB60

Function 00B3C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B4CC08,00000000,?,00000000,?,?), ref: 00B3C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B3C5A4
_wcslen.LIBCMT ref: 00B3C5F4
_wcslen.LIBCMT ref: 00B3C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B3C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B3C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B3C84D
RegCloseKey.ADVAPI32(?), ref: 00B3C881
RegCloseKey.ADVAPI32(00000000), ref: 00B3C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B3C960

Strings

REG_EXPAND_SZ, xrefs: 00B3C5CD
REG_QWORD, xrefs: 00B3C8C3
REG_DWORD, xrefs: 00B3C804
REG_SZ, xrefs: 00B3C644
REG_MULTI_SZ, xrefs: 00B3C6F5
REG_BINARY, xrefs: 00B3C913

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 839a20c1519f5bb8e3facb7815cbd0e848e3ee338109734fa502a93b5938f1ca
Instruction ID: 0c22f8ea72d99e5209ae3a8ed59e26912a717cda1158995c84a03e4f5321cf01
Opcode Fuzzy Hash: 839a20c1519f5bb8e3facb7815cbd0e848e3ee338109734fa502a93b5938f1ca
Instruction Fuzzy Hash: 3B1269352042009FD714DF24C981A6ABBE5FF88714F14899DF89AAB3A2DB31FD41CB91

Function 00B4091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B409C6
_wcslen.LIBCMT ref: 00B40A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B40A54
_wcslen.LIBCMT ref: 00B40A8A
_wcslen.LIBCMT ref: 00B40B06
_wcslen.LIBCMT ref: 00B40B81

Part of subcall function 00ACF9F2: _wcslen.LIBCMT ref: 00ACF9FD

Part of subcall function 00B12BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B12BFA

Strings

EXISTS, xrefs: 00B40B7C, 00B40B97
GETTEXT, xrefs: 00B40C97
SELECT, xrefs: 00B40D11
CHECK, xrefs: 00B40A85, 00B40AA0
EXPAND, xrefs: 00B40BF8
UNCHECK, xrefs: 00B40D3E
ISCHECKED, xrefs: 00B40CE1
GETSELECTED, xrefs: 00B40C4E
COLLAPSE, xrefs: 00B40B01, 00B40B1C
GETITEMCOUNT, xrefs: 00B40C1E
GETTOTALCOUNT, xrefs: 00B409F2, 00B40A17

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d62dd70aae74e51a168b75fcfda05d51bcf9f12349c2ad65717ca13595b61c04
Instruction ID: a8dfeb21df55331342e5feefe70e552e412f14c5c0dc400fe2fc7dc043339b6e
Opcode Fuzzy Hash: d62dd70aae74e51a168b75fcfda05d51bcf9f12349c2ad65717ca13595b61c04
Instruction Fuzzy Hash: AAE1AF312183018FC714EF24C59196AB7E1FF98314F1589ADF9AA9B362DB30EE45DB81

Function 00B3C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
_wcslen.LIBCMT ref: 00B3C9F1
_wcslen.LIBCMT ref: 00B3CA68
_wcslen.LIBCMT ref: 00B3CA9E
_wcslen.LIBCMT ref: 00B3CAF9
_wcslen.LIBCMT ref: 00B3CB2F
_wcslen.LIBCMT ref: 00B3CB7F

Strings

HKCU, xrefs: 00B3CBCE
HKCR, xrefs: 00B3CB29, 00B3CB2E
HKEY_LOCAL_MACHINE, xrefs: 00B3CA62, 00B3CA67
HKEY_USERS, xrefs: 00B3CBDF
HKU, xrefs: 00B3CBF0
HKEY_CURRENT_CONFIG, xrefs: 00B3CB79, 00B3CB7E
HKLM, xrefs: 00B3CA98, 00B3CA9D
HKEY_CURRENT_USER, xrefs: 00B3CBBD
HKEY_CLASSES_ROOT, xrefs: 00B3CAF3, 00B3CAF8
HKCC, xrefs: 00B3CBAC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: efe81f874983a8a4e67d778cbc50898bb59414bb0e50f474cb4d5369caa205fc
Instruction ID: dc5e986438594100383b83698f7d7e52ba65f22475e69b90400084d94cdbe87e
Opcode Fuzzy Hash: efe81f874983a8a4e67d778cbc50898bb59414bb0e50f474cb4d5369caa205fc
Instruction Fuzzy Hash: 3871E33360012A8BCB20DEBCCD515BA3BD5EB60754F3545A9F86AB7289FA31CD45C3A0

Function 00B4833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B4835A
_wcslen.LIBCMT ref: 00B4836E
_wcslen.LIBCMT ref: 00B48391
_wcslen.LIBCMT ref: 00B483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B4361A,?), ref: 00B4844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B48487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B48501
FreeLibrary.KERNEL32(?), ref: 00B4850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B4851D
DestroyIcon.USER32(?), ref: 00B4852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B48549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B48555

Strings

.dll, xrefs: 00B483AB
.exe, xrefs: 00B48388
.icl, xrefs: 00B48368

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: d715f147ddeb1e808c3542c917a7239f8ea23ab65f6215d25bb5f450a37069db
Instruction ID: cd397cb4e22b0f0b14071fcf3634657b695f0bf13e5a80974ee1d38d0fb4a5c1
Opcode Fuzzy Hash: d715f147ddeb1e808c3542c917a7239f8ea23ab65f6215d25bb5f450a37069db
Instruction Fuzzy Hash: 2F61B271540215BBEB14DF64CC81BBE7BACFB18B11F10468AF916DA1D1DF749A80DBA0

Function 00AB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00AB78D9
#pragma compile, xrefs: 00AB77D3
#comments-start, xrefs: 00AB785F, 00AB78B1
#OnAutoItStartRegister, xrefs: 00AB7817
Cannot parse #include, xrefs: 00AF5279
#include, xrefs: 00AB7847
#notrayicon, xrefs: 00AB77E7
', xrefs: 00AF5169
#cs, xrefs: 00AB7873, 00AB78C5
", xrefs: 00AF5153
#include-once, xrefs: 00AB782F
#ce, xrefs: 00AB78ED
#requireadmin, xrefs: 00AB77FF
Bad directive syntax error, xrefs: 00AF519A
Unterminated group of comments, xrefs: 00AF528C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 45990be9b80d488fe7a4d17453bd10219bd48633ab1c8aec5b1cf16f22a19c53
Instruction ID: 46e1dc50821801039455887fa55f5090ce297a405bbab13f9fc536df216188aa
Opcode Fuzzy Hash: 45990be9b80d488fe7a4d17453bd10219bd48633ab1c8aec5b1cf16f22a19c53
Instruction Fuzzy Hash: B481E671A04609BBDB20AFA0CD42FFE3BA9AF55300F054065FA05AB193EFB4DA51D791

Function 00B23E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B23EF8
_wcslen.LIBCMT ref: 00B23F03
_wcslen.LIBCMT ref: 00B23F5A
_wcslen.LIBCMT ref: 00B23F98
GetDriveTypeW.KERNEL32(?), ref: 00B23FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B2401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B24059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B24087

Strings

wait, xrefs: 00B24044
type cdaudio alias cd wait, xrefs: 00B24001
closed, xrefs: 00B23F08, 00B23F2D, 00B23F46, 00B23F7E, 00B23F97
close, xrefs: 00B23EFE, 00B23F18
open, xrefs: 00B23F54, 00B23F59
close cd wait, xrefs: 00B24072
open , xrefs: 00B23FE5
set cd door , xrefs: 00B24028

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 09894ac72322db3abed6d3dd5294be2dd31d93c321343523a850676e2d075c57
Instruction ID: fd1cb2d9aa4ae24eb1da25a11a5c010253143c9dc3cc7564adc1c757c122c719
Opcode Fuzzy Hash: 09894ac72322db3abed6d3dd5294be2dd31d93c321343523a850676e2d075c57
Instruction Fuzzy Hash: 5571F0326042119FC310DF34D9918ABB7F8EF94B54F00896DF9AA97262EB34DE49CB51

Function 00B15A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B15A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B15A40
SetWindowTextW.USER32(?,?), ref: 00B15A57
GetDlgItem.USER32(?,000003EA), ref: 00B15A6C
SetWindowTextW.USER32(00000000,?), ref: 00B15A72
GetDlgItem.USER32(?,000003E9), ref: 00B15A82
SetWindowTextW.USER32(00000000,?), ref: 00B15A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B15AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B15AC3
GetWindowRect.USER32(?,?), ref: 00B15ACC
_wcslen.LIBCMT ref: 00B15B33
SetWindowTextW.USER32(?,?), ref: 00B15B6F
GetDesktopWindow.USER32 ref: 00B15B75
GetWindowRect.USER32(00000000), ref: 00B15B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B15BD3
GetClientRect.USER32(?,?), ref: 00B15BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00B15C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B15C2F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 72e7d6dbc5ed7652d98b87c97dae0d55861d390ad4ebe486226c2c8df2cd3231
Instruction ID: 7139c281bf3fbfda2ce37bd4ae6f4f0990d1b6ada727a0e042f33ee863289f5a
Opcode Fuzzy Hash: 72e7d6dbc5ed7652d98b87c97dae0d55861d390ad4ebe486226c2c8df2cd3231
Instruction Fuzzy Hash: 0A716D31900B09EFDB20DFA8CE85AAEBBF5FF88B04F504558E542A35A0DB75E940CB50

Function 00B2FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B2FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00B2FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00B2FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00B2FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00B2FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00B2FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00B2FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00B2FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00B2FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00B2FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00B2FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00B2FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00B2FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00B2FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00B2FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00B2FECC
GetCursorInfo.USER32(?), ref: 00B2FEDC
GetLastError.KERNEL32 ref: 00B2FF1E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1d2e3e5b2b1be1a38bc611e66f34842b2a4fdc02838c43d78cf6bb20c8171996
Instruction ID: cd1f34d3fe8bcf3c4bfd708e9a4b11cf6cbd4cce246da4918a19cca95c312c58
Opcode Fuzzy Hash: 1d2e3e5b2b1be1a38bc611e66f34842b2a4fdc02838c43d78cf6bb20c8171996
Instruction Fuzzy Hash: AE4172B0D0531A6ADB109FBA9C8586EBFF8FF04714B50417AE11CE7281DB7899018E91

Function 00AD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00AD00C6

Part of subcall function 00AD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B8070C,00000FA0,214B826A,?,?,?,?,00AF23B3,000000FF), ref: 00AD011C
Part of subcall function 00AD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AF23B3,000000FF), ref: 00AD0127
Part of subcall function 00AD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AF23B3,000000FF), ref: 00AD0138
Part of subcall function 00AD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00AD014E
Part of subcall function 00AD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00AD015C
Part of subcall function 00AD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00AD016A
Part of subcall function 00AD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AD0195
Part of subcall function 00AD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AD01A0

___scrt_fastfail.LIBCMT ref: 00AD00E7

Part of subcall function 00AD00A3: __onexit.LIBCMT ref: 00AD00A9

Strings

SleepConditionVariableCS, xrefs: 00AD0154
InitializeConditionVariable, xrefs: 00AD0148
WakeAllConditionVariable, xrefs: 00AD0162
kernel32.dll, xrefs: 00AD0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00AD0122

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 841e508885d40425ca776be4531a6d56af3eaf1e62ac869335392d50ba01cbf3
Instruction ID: e1419d8d0ee40cd1a0367b165758678a4a6e5fe08fa7246749a4a788627f8b77
Opcode Fuzzy Hash: 841e508885d40425ca776be4531a6d56af3eaf1e62ac869335392d50ba01cbf3
Instruction Fuzzy Hash: 1F21C636A457116BE7506BA4AD05F6A77E4FF05F91F01063AF806A73A1DF749D008A90

Function 00B130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B1318D
_wcslen.LIBCMT ref: 00B131F8

Strings

TEXT, xrefs: 00B1347C
INSTANCE, xrefs: 00B13453
NAME, xrefs: 00B13335, 00B13346
CLASSNN, xrefs: 00B131F3, 00B13204
CLASS, xrefs: 00B13188, 00B131A5
REGEXPCLASS, xrefs: 00B13255, 00B13266

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 60ac8960748d29322920a0ffda4b230885eb5146205f7c133bf6fc5e41f17e05
Instruction ID: f5bdc69c7165076cb5354614b47dc7de53c275a94695339af5e826792f7753f0
Opcode Fuzzy Hash: 60ac8960748d29322920a0ffda4b230885eb5146205f7c133bf6fc5e41f17e05
Instruction Fuzzy Hash: EAE1D632A00516ABCB149F78C4916EDBBF5FF54F10F9481A9E466B7240EB30AEC587D0

Function 00B244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00B4CC08), ref: 00B24527
_wcslen.LIBCMT ref: 00B2453B
_wcslen.LIBCMT ref: 00B24599
_wcslen.LIBCMT ref: 00B245F4
_wcslen.LIBCMT ref: 00B2463F
_wcslen.LIBCMT ref: 00B246A7

Part of subcall function 00ACF9F2: _wcslen.LIBCMT ref: 00ACF9FD

GetDriveTypeW.KERNEL32(?,00B76BF0,00000061), ref: 00B24743

Strings

removable, xrefs: 00B245EA, 00B245EF
fixed, xrefs: 00B24635, 00B2463A
network, xrefs: 00B2469D, 00B246A2
ramdisk, xrefs: 00B246F1
cdrom, xrefs: 00B2458F, 00B24594
unknown, xrefs: 00B24708
all, xrefs: 00B24531, 00B24536

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0122debf9710347934cc0b46c9d8357712cba6ba4daa54b13e9a81eb3118f24e
Instruction ID: 4a16c1f1067b016658c7f6802eb9ee8d9f00559a796c36ef8c163db5ec46439c
Opcode Fuzzy Hash: 0122debf9710347934cc0b46c9d8357712cba6ba4daa54b13e9a81eb3118f24e
Instruction Fuzzy Hash: CAB1E1316083229FC710DF28E991A6EB7E5EFA6720F50499DF4AAC7692D730DC44CB52

Function 00AB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00B81990), ref: 00AF2F8D
GetMenuItemCount.USER32(00B81990), ref: 00AF303D
GetCursorPos.USER32(?), ref: 00AF3081
SetForegroundWindow.USER32(00000000), ref: 00AF308A
TrackPopupMenuEx.USER32(00B81990,00000000,?,00000000,00000000,00000000), ref: 00AF309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AF30A9

Strings

0, xrefs: 00AB327D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: c73d7a0ad7a538050350bf03e00f98ee011d2fe1d5893ef030700090081b3300
Instruction ID: af09181ce2706fab7ee166c769bb169cc4a0298033688b5e49ea279bf212b5e0
Opcode Fuzzy Hash: c73d7a0ad7a538050350bf03e00f98ee011d2fe1d5893ef030700090081b3300
Instruction Fuzzy Hash: 19712971641209BEEB218FA4CC49FEABF78FF05764F204216F6146A1E1CBB1AD50DB90

Function 00B46CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00B46DEB

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B46E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B46E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B46E94
DestroyWindow.USER32(?), ref: 00B46EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AB0000,00000000), ref: 00B46EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B46EFD
GetDesktopWindow.USER32 ref: 00B46F16
GetWindowRect.USER32(00000000), ref: 00B46F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B46F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B46F4D

Part of subcall function 00AC9944: GetWindowLongW.USER32(?,000000EB), ref: 00AC9952

Strings

0, xrefs: 00B46D98
tooltips_class32, xrefs: 00B46E58, 00B46EDD

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 1f79b88508b2967733ac5acbc48c6eeca1bac82bc664356aa33d194ba515542d
Instruction ID: 4afd9bb602d608d40e9cc19eb6fbcea2217c58579148f0697f8b8f414513c74d
Opcode Fuzzy Hash: 1f79b88508b2967733ac5acbc48c6eeca1bac82bc664356aa33d194ba515542d
Instruction Fuzzy Hash: B9715974144345AFDB21CF18DC44FAABBF9FB8A704F04485DF99987261CB70AA0ADB12

Function 00B4911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2

DragQueryPoint.SHELL32(?,?), ref: 00B49147

Part of subcall function 00B47674: ClientToScreen.USER32(?,?), ref: 00B4769A
Part of subcall function 00B47674: GetWindowRect.USER32(?,?), ref: 00B47710
Part of subcall function 00B47674: PtInRect.USER32(?,?,00B48B89), ref: 00B47720

SendMessageW.USER32(?,000000B0,?,?), ref: 00B491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B49225
SendMessageW.USER32(?,000000B0,?,?), ref: 00B4923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B49255
SendMessageW.USER32(?,000000B1,?,?), ref: 00B49277
DragFinish.SHELL32(?), ref: 00B4927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B49371

Strings

@GUI_DRAGID, xrefs: 00B492E9
@GUI_DROPID, xrefs: 00B4929E
@GUI_DRAGFILE, xrefs: 00B49320

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 8dfb45a226838bb938e05f20ebcc6c9175645eb246ce19519339112fc5898f4a
Instruction ID: 8b55e04e4fbf910e711f9530f568372c61cf3743ca81c9858c0d45197a906222
Opcode Fuzzy Hash: 8dfb45a226838bb938e05f20ebcc6c9175645eb246ce19519339112fc5898f4a
Instruction Fuzzy Hash: 0B617571108301AFD701EF64DD85DABBBF8EF89750F00496EF696932A1DB309A09CB52

Function 00B2C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B2C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B2C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B2C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B2C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B2C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B2C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B2C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B2C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B2C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B2C5F0
InternetCloseHandle.WININET(00000000), ref: 00B2C5FB

Strings

, xrefs: 00B2C575

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 8a915d37552678d6596c09da5d8c900240b2f8a66abeed5914281fc1da7496cf
Instruction ID: 81cd8caa572cd5544e7b7a3cbd5f17fe0c90592745088b44388bb53b984ce683
Opcode Fuzzy Hash: 8a915d37552678d6596c09da5d8c900240b2f8a66abeed5914281fc1da7496cf
Instruction Fuzzy Hash: 235169B4500618BFEB219FA0D989AAF7FFCFF19744F00445AF94A97210DB74EA049B60

Function 00B4856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00B48592
GetFileSize.KERNEL32(00000000,00000000), ref: 00B485A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00B485AD
CloseHandle.KERNEL32(00000000), ref: 00B485BA
GlobalLock.KERNEL32(00000000), ref: 00B485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B485D7
GlobalUnlock.KERNEL32(00000000), ref: 00B485E0
CloseHandle.KERNEL32(00000000), ref: 00B485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00B485F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B4FC38,?), ref: 00B48611
GlobalFree.KERNEL32(00000000), ref: 00B48621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00B48641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B48671
DeleteObject.GDI32(00000000), ref: 00B48699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B486AF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 524493432612135c553676656f9041872a1d4059b71b2914baff8f127c565477
Instruction ID: 26b1d6b8116135edfb9122ebcc54cadb36375f8c061b274781dce86ef27e6a71
Opcode Fuzzy Hash: 524493432612135c553676656f9041872a1d4059b71b2914baff8f127c565477
Instruction Fuzzy Hash: 4D411C75601204BFDB519FA9DC88EAE7BB8FF9AB11F114058F905E7260DB709E01DB60

Function 00B214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B21502
VariantCopy.OLEAUT32(?,?), ref: 00B2150B
VariantClear.OLEAUT32(?), ref: 00B21517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00B21657
VariantInit.OLEAUT32(?), ref: 00B21708
SysFreeString.OLEAUT32(?), ref: 00B2178C
VariantClear.OLEAUT32(?), ref: 00B217D8
VariantClear.OLEAUT32(?), ref: 00B217E7
VariantInit.OLEAUT32(00000000), ref: 00B21823

Strings

Default, xrefs: 00B216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00B21625

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d90b667c6f752af3f4e7db96eb7fcfa86fbf41eec35827b630a82e842644f07c
Instruction ID: 848b941bbeb9148df4fe9c75fb7157911f9e70c819220973b2718d134ad7c9dc
Opcode Fuzzy Hash: d90b667c6f752af3f4e7db96eb7fcfa86fbf41eec35827b630a82e842644f07c
Instruction Fuzzy Hash: 90D1F171A00225DBDB009F69E985BB9B7F5FF65700F1088DAF40AAB291DB30DD41DB62

Function 00B3B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00B3B80A
RegCloseKey.ADVAPI32(?), ref: 00B3B87E
RegCloseKey.ADVAPI32(?), ref: 00B3B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B3B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B3B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00B3B922
FreeLibrary.KERNEL32(00000000), ref: 00B3B983
RegCloseKey.ADVAPI32(00000000), ref: 00B3B994

Strings

RegDeleteKeyExW, xrefs: 00B3B8FE
advapi32.dll, xrefs: 00B3B8ED

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: bb414629b7ce8882c5e9be5f12d273574c3ef34c454d8d918819d9a4f2b8ab77
Instruction ID: 8a32acf4f76eb072ed1bfab52a07a400c71120d5b5fd83050adabdde564fffb4
Opcode Fuzzy Hash: bb414629b7ce8882c5e9be5f12d273574c3ef34c454d8d918819d9a4f2b8ab77
Instruction Fuzzy Hash: 14C17C34204201AFD714DF24C495F6ABBE5FF84318F24859CF59A8B2A2CB75ED45CB91

Function 00B3255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B325E8
CreateCompatibleDC.GDI32(?), ref: 00B325F4
SelectObject.GDI32(00000000,?), ref: 00B32601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B3266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B326D0
SelectObject.GDI32(?,?), ref: 00B326D8
DeleteObject.GDI32(?), ref: 00B326E1
DeleteDC.GDI32(?), ref: 00B326E8
ReleaseDC.USER32(00000000,?), ref: 00B326F3

Strings

(, xrefs: 00B3268D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f511e8eef1a6f448e5ebd6d19ef38a6db4ba477b4bccd3767b5d93719d5d9592
Instruction ID: d433fd969787538766ca51658f30ebea653b3edcd5a657cf52f6b2e36866236f
Opcode Fuzzy Hash: f511e8eef1a6f448e5ebd6d19ef38a6db4ba477b4bccd3767b5d93719d5d9592
Instruction Fuzzy Hash: EA61E075D01219EFCF04CFA8D885AAEBBF6FF48710F208569E955A7250D770AA41CFA0

Function 00AEDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00AEDAA1

Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED659
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED66B
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED67D
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED68F
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6A1
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6B3
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6C5
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6D7
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6E9
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6FB
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED70D
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED71F
Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED731

_free.LIBCMT ref: 00AEDA96

Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0

_free.LIBCMT ref: 00AEDAB8
_free.LIBCMT ref: 00AEDACD
_free.LIBCMT ref: 00AEDAD8
_free.LIBCMT ref: 00AEDAFA
_free.LIBCMT ref: 00AEDB0D
_free.LIBCMT ref: 00AEDB1B
_free.LIBCMT ref: 00AEDB26
_free.LIBCMT ref: 00AEDB5E
_free.LIBCMT ref: 00AEDB65
_free.LIBCMT ref: 00AEDB82
_free.LIBCMT ref: 00AEDB9A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 02da672166a6b8261bcdabccff22c12a000fda20b3b8b21dcbced85c336de95d
Instruction ID: e1872b229a64f07a9c8f534c129030102dc1717a8d49c20dc88ed4e06a5d7591
Opcode Fuzzy Hash: 02da672166a6b8261bcdabccff22c12a000fda20b3b8b21dcbced85c336de95d
Instruction Fuzzy Hash: 40318E326043889FEB21AB3AE946B5A77E8FF40354F125429F458DB192EF35ED40C720

Function 00B1365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B1369C
_wcslen.LIBCMT ref: 00B136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B13797
GetClassNameW.USER32(?,?,00000400), ref: 00B1380C
GetDlgCtrlID.USER32(?), ref: 00B1385D
GetWindowRect.USER32(?,?), ref: 00B13882
GetParent.USER32(?), ref: 00B138A0
ScreenToClient.USER32(00000000), ref: 00B138A7
GetClassNameW.USER32(?,?,00000100), ref: 00B13921
GetWindowTextW.USER32(?,?,00000400), ref: 00B1395D

Strings

%s%u, xrefs: 00B13734

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 936fcae28b12e9dce7eae130e64102e55d96c25b4757b2c20be38c62b17fb1d5
Instruction ID: d35443911e37c255ea6b3a83fddb7bb601b464514c32eb163068735e59900051
Opcode Fuzzy Hash: 936fcae28b12e9dce7eae130e64102e55d96c25b4757b2c20be38c62b17fb1d5
Instruction Fuzzy Hash: 5891B471204606AFD719DF24C885FEAF7E8FF44B50F408569F99AD2190EB30EA85CB91

Function 00B14954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B14994
GetWindowTextW.USER32(?,?,00000400), ref: 00B149DA
_wcslen.LIBCMT ref: 00B149EB
CharUpperBuffW.USER32(?,00000000), ref: 00B149F7
_wcsstr.LIBVCRUNTIME ref: 00B14A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B14A64
GetWindowTextW.USER32(?,?,00000400), ref: 00B14A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B14AE6
GetClassNameW.USER32(?,?,00000400), ref: 00B14B20
GetWindowRect.USER32(?,?), ref: 00B14B8B

Strings

ThumbnailClass, xrefs: 00B14A6F, 00B14AF1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 7240a1c1e0be9786e0b749e5b785f8173e23f52928468a58970c9bcd1728fe2b
Instruction ID: b796d76335c2f4efba6d5b1ed7bc8b4659843028173c6b00cbed4c3d3efe5d6e
Opcode Fuzzy Hash: 7240a1c1e0be9786e0b749e5b785f8173e23f52928468a58970c9bcd1728fe2b
Instruction Fuzzy Hash: ED919D710082059FDB04CF14C985BEA7BE8FF85754F4484AAFD8A9B196DB30ED85CBA1

Function 00B3CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B3CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B3CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B3CD48

Part of subcall function 00B3CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B3CCAA
Part of subcall function 00B3CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B3CCBD
Part of subcall function 00B3CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B3CCCF
Part of subcall function 00B3CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B3CD05
Part of subcall function 00B3CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B3CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B3CCF3

Strings

RegDeleteKeyExW, xrefs: 00B3CCC9
advapi32.dll, xrefs: 00B3CCB8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 75ffca4eafc4d65b74c06c9072d9f6179fdb0ec47757876b418d3eb90e4abd63
Instruction ID: 3a5f0dfa1b738eae2613bd3571e200f1c1b4ae4c7793ab71cec4720fee974959
Opcode Fuzzy Hash: 75ffca4eafc4d65b74c06c9072d9f6179fdb0ec47757876b418d3eb90e4abd63
Instruction Fuzzy Hash: 4C313C75942129BBD7208B95DC88EFFBFBCEF46750F1001A5B905E3250DE349A459BA0

Function 00B23D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B23D40
_wcslen.LIBCMT ref: 00B23D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B23D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B23DBE
RemoveDirectoryW.KERNEL32(?), ref: 00B23DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B23E55
CloseHandle.KERNEL32(00000000), ref: 00B23E60
CloseHandle.KERNEL32(00000000), ref: 00B23E6B

Strings

\??\%s, xrefs: 00B23D5B
\, xrefs: 00B23D77
:, xrefs: 00B23D82

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 30f93bfba3ab58e78c418dcaa39c10338a5f024fdbf1433ea0bef106cc54d177
Instruction ID: 5925dcef3791938f2aa5570ea19bc699f0eae347ab1eecc2954015efab8c87b7
Opcode Fuzzy Hash: 30f93bfba3ab58e78c418dcaa39c10338a5f024fdbf1433ea0bef106cc54d177
Instruction Fuzzy Hash: 8231AF76A00219ABDB209FA0DC49FEB37FCEF89B40F1041B6F609D6160EB7497448B24

Function 00B1E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B1E6B4

Part of subcall function 00ACE551: timeGetTime.WINMM(?,?,00B1E6D4), ref: 00ACE555

Sleep.KERNEL32(0000000A), ref: 00B1E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00B1E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B1E727
SetActiveWindow.USER32 ref: 00B1E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B1E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B1E773
Sleep.KERNEL32(000000FA), ref: 00B1E77E
IsWindow.USER32 ref: 00B1E78A
EndDialog.USER32(00000000), ref: 00B1E79B

Strings

BUTTON, xrefs: 00B1E719

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3762bd19c0a7f1b2006be8a61fda59be6ae6584886407cbe63988392f599a518
Instruction ID: fc3719d30c7074379b6abb75edf6439e3a57d41f72130f7e3f27e6741a760ef5
Opcode Fuzzy Hash: 3762bd19c0a7f1b2006be8a61fda59be6ae6584886407cbe63988392f599a518
Instruction Fuzzy Hash: 53216DB4201204AFFB005F20EC89A6A3FE9FB56B48B944465F925831B1EF71ED80CB24

Function 00B1E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B1EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B1EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B1EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B1EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B1EAA7

Strings

alias PlayMe, xrefs: 00B1EA36
play PlayMe, xrefs: 00B1EAA2
play PlayMe wait, xrefs: 00B1EA91
status PlayMe mode, xrefs: 00B1EA58
open , xrefs: 00B1EA0C
close PlayMe, xrefs: 00B1EA6E, 00B1EA9B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9019b4dbcefbc3190288b23569773fe52816a4c0e9097ac270dc688d7fbeb9e2
Instruction ID: 1b355dd71e1e507a2bd66a213c3dcfc2fd93affb391ad176be1a2fe9b2c50063
Opcode Fuzzy Hash: 9019b4dbcefbc3190288b23569773fe52816a4c0e9097ac270dc688d7fbeb9e2
Instruction Fuzzy Hash: EA119131A5021979D720A7A1DD4ADFF6FFCEFD5F00F404469B925A20E2EE704944C5B0

Function 00B15CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B15CE2
GetWindowRect.USER32(00000000,?), ref: 00B15CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B15D59
GetDlgItem.USER32(?,00000002), ref: 00B15D69
GetWindowRect.USER32(00000000,?), ref: 00B15D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B15DCF
GetDlgItem.USER32(?,000003E9), ref: 00B15DDD
GetWindowRect.USER32(00000000,?), ref: 00B15DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B15E31
GetDlgItem.USER32(?,000003EA), ref: 00B15E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B15E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B15E67

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ec4ef69add533bc1b29897bbe5da3fbf8ff77c6b2dffbb665279bd516f21135d
Instruction ID: 7722a8cafd95718d6b3c1195585d1ee7915eb14b235f54babd763bad815c4ae0
Opcode Fuzzy Hash: ec4ef69add533bc1b29897bbe5da3fbf8ff77c6b2dffbb665279bd516f21135d
Instruction Fuzzy Hash: CF511D75B00605AFDB18CF68DD89AAEBBF5FB89700F508169F915E7290DB709E40CB50

Function 00AC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AC8BE8,?,00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00AC8FC5

DestroyWindow.USER32(?), ref: 00AC8C81
KillTimer.USER32(00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00AC8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00B06973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00B069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00B069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00AC8BBA,00000000), ref: 00B069D4
DeleteObject.GDI32(00000000), ref: 00B069E6

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 44ce756a47dadef065938ea3ace13ab495d36d3684705afd0fd3489a0217d682
Instruction ID: 16169373da2403fcdb45d29b7764c38d1adbb569bb393fc5bd9d3274b788a468
Opcode Fuzzy Hash: 44ce756a47dadef065938ea3ace13ab495d36d3684705afd0fd3489a0217d682
Instruction Fuzzy Hash: 7B619935106610DFCB259F18DA48B2A7BF1FB41312F12495CE0429BAB0CF39AD92DFA4

Function 00AC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00AC9944: GetWindowLongW.USER32(?,000000EB), ref: 00AC9952

GetSysColor.USER32(0000000F), ref: 00AC9862

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 561dec298a2c5911862672a4c4b14d335d79cf73f059383ac432ecece025363b
Instruction ID: 8fb5b1670b10544021f25f3766276ad6d7cea9eda4af40dcb88f27faea4cdb78
Opcode Fuzzy Hash: 561dec298a2c5911862672a4c4b14d335d79cf73f059383ac432ecece025363b
Instruction Fuzzy Hash: BD41C135505650AFDB205F389C88FBA3BA5FB17730F154649F9A29B2E2CB309E42DB10

Function 00B196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00AFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00B19717
LoadStringW.USER32(00000000,?,00AFF7F8,00000001), ref: 00B19720

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00AFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00B19742
LoadStringW.USER32(00000000,?,00AFF7F8,00000001), ref: 00B19745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00B19866

Strings

Line %d (File "%s"):, xrefs: 00B1978F
Line %d:, xrefs: 00B197A0
%s (%d) : ==> %s: %s %s, xrefs: 00B1984A
^ ERROR, xrefs: 00B197FB
Error: , xrefs: 00B1981D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b34904d0ba59defe339757e85bb22498cc8ce6e8d890ab6300c4de20ce1f9429
Instruction ID: 0936e4bc190db7d3500cc95f383013dc2e8d267ffe8c1ce011f6f8b899e996b2
Opcode Fuzzy Hash: b34904d0ba59defe339757e85bb22498cc8ce6e8d890ab6300c4de20ce1f9429
Instruction Fuzzy Hash: 9A411C72800219AACF04EBE0DE96EEFB7BCAF55740F604065F60576092EB356F48CB61

Function 00B106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B10804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B1082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B10837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B1083C

Strings

SOFTWARE\Classes\, xrefs: 00B1070E
\IPC$, xrefs: 00B10784
\CLSID, xrefs: 00B10724

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: dca05e0b4fd9b761fef9927ef35c70263868f225247224d38093c295cc0f882b
Instruction ID: 40ff1c69509df1b0b00ea661579a9788307c1b41e11f8021ef807bbc4e3d20dc
Opcode Fuzzy Hash: dca05e0b4fd9b761fef9927ef35c70263868f225247224d38093c295cc0f882b
Instruction Fuzzy Hash: 09413972C10229ABDF21EFA4DD95CEEB7B8FF04740F444169E915A71A1EB709E44CB90

Function 00B33C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B33C5C
CoInitialize.OLE32(00000000), ref: 00B33C8A
CoUninitialize.OLE32 ref: 00B33C94
_wcslen.LIBCMT ref: 00B33D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00B33DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B33ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B33F0E
CoGetObject.OLE32(?,00000000,00B4FB98,?), ref: 00B33F2D
SetErrorMode.KERNEL32(00000000), ref: 00B33F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B33FC4
VariantClear.OLEAUT32(?), ref: 00B33FD8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 705105eb71c4584df3613f6c742a60d09e6ae3c6588e7adc43d3f633b22c94f3
Instruction ID: ac77011c3f2eeed6d5403a0057e15cb189144c6ab68bbed6c1ee4442b3c17eb8
Opcode Fuzzy Hash: 705105eb71c4584df3613f6c742a60d09e6ae3c6588e7adc43d3f633b22c94f3
Instruction Fuzzy Hash: BAC159716083059FD700DF68C88496BBBE9FF89B44F20499DF98A9B211DB31EE45CB52

Function 00B27A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B27AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B27B8F
SHGetDesktopFolder.SHELL32(?), ref: 00B27BA3
CoCreateInstance.OLE32(00B4FD08,00000000,00000001,00B76E6C,?), ref: 00B27BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B27C74
CoTaskMemFree.OLE32(?,?), ref: 00B27CCC
SHBrowseForFolderW.SHELL32(?), ref: 00B27D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B27D7A
CoTaskMemFree.OLE32(00000000), ref: 00B27D81
CoTaskMemFree.OLE32(00000000), ref: 00B27DD6
CoUninitialize.OLE32 ref: 00B27DDC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 62a04ef255bc331486f355891d7a9cc8010f647d45010489359f577448e7916c
Instruction ID: 5195935bfa8e6069ba8e2d8f245ebaa43d1edcceb88b64f375279af56d78de56
Opcode Fuzzy Hash: 62a04ef255bc331486f355891d7a9cc8010f647d45010489359f577448e7916c
Instruction Fuzzy Hash: DAC13D75A04119AFCB14DF64D898DAEBBF9FF48304B1485A9E41ADB361DB30EE41CB90

Function 00B4541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B45504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B45515
CharNextW.USER32(00000158), ref: 00B45544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B45585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B4559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B455AC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5e92654dbca236c127f585ed65696e127fdebb933fa4b6bf04d242b87c1d98ff
Instruction ID: 31d6d3acef8d2c8a31d02942e364a0a252376462aa85441176cd546997c0d559
Opcode Fuzzy Hash: 5e92654dbca236c127f585ed65696e127fdebb933fa4b6bf04d242b87c1d98ff
Instruction Fuzzy Hash: 7B619274905A08EBDF209F54CC85AFE7BF9FB06720F108185F9259B292D7709B81EB60

Function 00B0FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B0FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00B0FB08
VariantInit.OLEAUT32(?), ref: 00B0FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B0FB3A
VariantCopy.OLEAUT32(?,?), ref: 00B0FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B0FBA1
VariantClear.OLEAUT32(?), ref: 00B0FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B0FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B0FBCC
VariantClear.OLEAUT32(?), ref: 00B0FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B0FBE9

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 613e4ab62b5d595b9b0337dd5de7a33286237560c7950f813a42511cf6df20e5
Instruction ID: 872b4b8521dc07cb0ea2f25f909f6df8d08fe5d8720372193ce3f6432436ff81
Opcode Fuzzy Hash: 613e4ab62b5d595b9b0337dd5de7a33286237560c7950f813a42511cf6df20e5
Instruction Fuzzy Hash: A8413035A0121A9FCF10DF68D9549BDBFB9FF48754F008469E946A7261CB30AA45CFA0

Function 00B19C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B19CA1
GetAsyncKeyState.USER32(000000A0), ref: 00B19D22
GetKeyState.USER32(000000A0), ref: 00B19D3D
GetAsyncKeyState.USER32(000000A1), ref: 00B19D57
GetKeyState.USER32(000000A1), ref: 00B19D6C
GetAsyncKeyState.USER32(00000011), ref: 00B19D84
GetKeyState.USER32(00000011), ref: 00B19D96
GetAsyncKeyState.USER32(00000012), ref: 00B19DAE
GetKeyState.USER32(00000012), ref: 00B19DC0
GetAsyncKeyState.USER32(0000005B), ref: 00B19DD8
GetKeyState.USER32(0000005B), ref: 00B19DEA

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 21c36d1bfab42d723f2d2c8e27524f4bcb845d3dc197949683b157226b9e3786
Instruction ID: 59bd65785663238d63e3f445acd7a6d5b828f294de44ad852d7ed982eaf30cce
Opcode Fuzzy Hash: 21c36d1bfab42d723f2d2c8e27524f4bcb845d3dc197949683b157226b9e3786
Instruction Fuzzy Hash: 5241D8346047C969FF748764D4243F5BEE0FB12744F8880EADAC6575C2DBA49AC8C7A2

Function 00B3055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B305BC
inet_addr.WSOCK32(?), ref: 00B3061C
gethostbyname.WSOCK32(?), ref: 00B30628
IcmpCreateFile.IPHLPAPI ref: 00B30636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00B307B9
WSACleanup.WSOCK32 ref: 00B307BF

Strings

Ping, xrefs: 00B30676

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 26ea2b61b499ee8f7a1507db9da969dc18fbde7af172ba4a85375e96fdef2f5a
Instruction ID: 1b3dd2fa7d30c4b5be0d1fdfa334ad71727ba10a3d4e25c623a9c1ebd17aab30
Opcode Fuzzy Hash: 26ea2b61b499ee8f7a1507db9da969dc18fbde7af172ba4a85375e96fdef2f5a
Instruction Fuzzy Hash: 85919D34618201DFD320EF15C599F1ABBE4EF44318F2585A9F46A9B6A2CB30ED41CF91

Function 00B38CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00B38CF3

Part of subcall function 00B18E54: _wcslen.LIBCMT ref: 00B18E77

_wcslen.LIBCMT ref: 00B38D4E
_wcslen.LIBCMT ref: 00B38D9C
_wcslen.LIBCMT ref: 00B38DDC
_wcslen.LIBCMT ref: 00B38E6E

Strings

none, xrefs: 00B38E65, 00B38E6A
cdecl, xrefs: 00B38D48, 00B38D4D
stdcall, xrefs: 00B38DD6, 00B38DDB
winapi, xrefs: 00B38D96, 00B38D9B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a0750c2a7a332898473d2d34d77205f4d7d7e555faee8cfa2ef270ed58d2ab5f
Instruction ID: 366850dfc7dc0df230c273aa90de9c645bf8b98efc8632bc72e9337d958859a5
Opcode Fuzzy Hash: a0750c2a7a332898473d2d34d77205f4d7d7e555faee8cfa2ef270ed58d2ab5f
Instruction Fuzzy Hash: 0F517032A042269BCF14DF68C9908BEB7E5FF64720B3142A9F426A7285DB35DD44C791

Function 00B3372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00B33774
CoUninitialize.OLE32 ref: 00B3377F
CoCreateInstance.OLE32(?,00000000,00000017,00B4FB78,?), ref: 00B337D9
IIDFromString.OLE32(?,?), ref: 00B3384C
VariantInit.OLEAUT32(?), ref: 00B338E4
VariantClear.OLEAUT32(?), ref: 00B33936

Strings

NULL Pointer assignment, xrefs: 00B3381E
Invalid parameter, xrefs: 00B33865
Failed to create object, xrefs: 00B337E4, 00B3389A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 870691febd42b705a9f9c7718fe45bec79bc01a47f402d4c9e654c4c775b0631
Instruction ID: 961d1d44511b20f45b3305c0f822fbdebe46ca2b04464ce4f32a9abaad236a18
Opcode Fuzzy Hash: 870691febd42b705a9f9c7718fe45bec79bc01a47f402d4c9e654c4c775b0631
Instruction Fuzzy Hash: 19618074608301AFD310DF54C989F6BBBE8EF45B10F204999F5959B291DB70EE48CB92

Function 00B28195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B28257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B28267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B28273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B28310
SetCurrentDirectoryW.KERNEL32(?), ref: 00B28324
SetCurrentDirectoryW.KERNEL32(?), ref: 00B28356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B2838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00B28395

Strings

*.*, xrefs: 00B2839B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 92955e99f79e9deb1e430cd8b32e093d40050c9b8b8bd8cca44905db17ed5d2a
Instruction ID: 95b67fcc26fc11ad82c89e1b590e6d26b2d15c5408c740ff8afecae1da555888
Opcode Fuzzy Hash: 92955e99f79e9deb1e430cd8b32e093d40050c9b8b8bd8cca44905db17ed5d2a
Instruction Fuzzy Hash: 4E616B725043559FCB10EF60D8809AEB3ECFF89710F04896EF99A97251EB31E945CB92

Function 00B23388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B233CF

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B233F0

Strings

Line %d (File "%s"):, xrefs: 00B23443, 00B2345C
Incorrect parameters to object property !, xrefs: 00B234AB
^ ERROR , xrefs: 00B2349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00B23504
"%s" (%d) : ==> %s:, xrefs: 00B23522
Error: , xrefs: 00B234D1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 845d20f35275f5e205e6efde1b2255dd86968120082c9e909373261061cc695e
Instruction ID: ad45ca541107d8c280a7e035237f2c24524d9961b0f561130586b819fa5ef365
Opcode Fuzzy Hash: 845d20f35275f5e205e6efde1b2255dd86968120082c9e909373261061cc695e
Instruction Fuzzy Hash: 2A518F32800219BADF14EBA0DE56EEEB7FCEF14740F2040A5F10972062DB256F98DB61

Function 00B1B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B1B5FC
_wcslen.LIBCMT ref: 00B1B608
_wcslen.LIBCMT ref: 00B1B64D
_wcslen.LIBCMT ref: 00B1B68C
_wcslen.LIBCMT ref: 00B1B6C7

Strings

EXISTS, xrefs: 00B1B686, 00B1B68B
REMOVE, xrefs: 00B1B602, 00B1B607
APPEND, xrefs: 00B1B6C1, 00B1B6C6
KEYS, xrefs: 00B1B647, 00B1B64C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: dc05ec555caf2a413ac10a661a62e946088ee51725931945d5ea10ae8b519819
Instruction ID: 9fa97facd278411505d6b1f5d3cc1a6d4b3a116a09f50fdc601db107e2460897
Opcode Fuzzy Hash: dc05ec555caf2a413ac10a661a62e946088ee51725931945d5ea10ae8b519819
Instruction Fuzzy Hash: F241E732A001269BCB105F7DC9909FEF7E5EB70794B6441A9E425D7284E731CDC1C790

Function 00B25393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B25416
GetLastError.KERNEL32 ref: 00B25420
SetErrorMode.KERNEL32(00000000,READY), ref: 00B254A7

Strings

INVALID, xrefs: 00B25459
NOTREADY, xrefs: 00B2544B
UNKNOWN, xrefs: 00B25444
READONLY, xrefs: 00B25452
READY, xrefs: 00B25460, 00B25468

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fef2b958113aaa3dc31315f4b0bc9cb988cce49a72406d9147240d2760cf798e
Instruction ID: 2f121229769ce868bb8d6d4b7d9cc5a5e9235d83d403fdc24d1643228d2b64d3
Opcode Fuzzy Hash: fef2b958113aaa3dc31315f4b0bc9cb988cce49a72406d9147240d2760cf798e
Instruction Fuzzy Hash: CA31E335A005149FD720EF68D484AEABBF4FF09305F1480A6E529CB396DB71DD86CB90

Function 00B43C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00B43C79
SetMenu.USER32(?,00000000), ref: 00B43C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B43D10
IsMenu.USER32(?), ref: 00B43D24
CreatePopupMenu.USER32 ref: 00B43D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B43D5B
DrawMenuBar.USER32 ref: 00B43D63

Strings

F, xrefs: 00B43D4E
0, xrefs: 00B43C54

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 7e0d63a68daa8c4342992f0f68f23c16307f02ae461f4015cd2df8a7e20d8d5b
Instruction ID: e2ecac6efb33da50ca3cd7a67d8c831f75fdad69031271b704919f4bb9f3b3d4
Opcode Fuzzy Hash: 7e0d63a68daa8c4342992f0f68f23c16307f02ae461f4015cd2df8a7e20d8d5b
Instruction Fuzzy Hash: DA416B79A02209AFDB14CF64D884AAE7BF5FF49750F180069F95697360DB30AA10DF90

Function 00B11EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B11F64
GetDlgCtrlID.USER32 ref: 00B11F6F
GetParent.USER32 ref: 00B11F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B11F8E
GetDlgCtrlID.USER32(?), ref: 00B11F97
GetParent.USER32(?), ref: 00B11FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B11FAE

Strings

ListBox, xrefs: 00B11F21
ComboBox, xrefs: 00B11EEC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 16eb48e633d1ec040db123d81d9f94776fa2d2038a43d3cbd2cce88a3a6b88cc
Instruction ID: 497bb49e0995e8dc7f3a6fba7398aa11d0e77af521d05e0a659db781eac716ad
Opcode Fuzzy Hash: 16eb48e633d1ec040db123d81d9f94776fa2d2038a43d3cbd2cce88a3a6b88cc
Instruction Fuzzy Hash: B521D074900218BFCF00AFA4CC849EEBFB8EF16300F508585BA65632A1DB7549498B60

Function 00B43A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B43A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B43AA0
GetWindowLongW.USER32(?,000000F0), ref: 00B43AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B43AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B43B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B43BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B43BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B43BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B43BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B43C13

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: bf22b2cadcbb284e120cfa506f4f36f7016e11a65d6646f4b70a1af1aab7000b
Instruction ID: 096c359c7a225fb1dc16f544389d936012444f36983ca604d1933dfa75f2178e
Opcode Fuzzy Hash: bf22b2cadcbb284e120cfa506f4f36f7016e11a65d6646f4b70a1af1aab7000b
Instruction Fuzzy Hash: B7615A75900248AFDB10DFA8CC81EEE77F8EB09710F144199FA15A72A2D774AE46EF50

Function 00B1B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B1B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B1A1E1,?,00000001), ref: 00B1B165
GetWindowThreadProcessId.USER32(00000000), ref: 00B1B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B1A1E1,?,00000001), ref: 00B1B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B1B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B1A1E1,?,00000001), ref: 00B1B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B1A1E1,?,00000001), ref: 00B1B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B1A1E1,?,00000001), ref: 00B1B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B1A1E1,?,00000001), ref: 00B1B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B1A1E1,?,00000001), ref: 00B1B21D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c384b843c3ee6e31cd5a0b38a1bc031fea26e2ce95ae77288214d9fc4a448680
Instruction ID: b1e680af5caa50a2d259adbc7927c4a7e36e8bc2b2ca41977096b8445c3337ff
Opcode Fuzzy Hash: c384b843c3ee6e31cd5a0b38a1bc031fea26e2ce95ae77288214d9fc4a448680
Instruction Fuzzy Hash: 78319C75501204FFDB109F64DC68FA97FE9FB52B11F618044FA00D71A0DBB49A84CBA0

Function 00AE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AE2C94

Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0

_free.LIBCMT ref: 00AE2CA0
_free.LIBCMT ref: 00AE2CAB
_free.LIBCMT ref: 00AE2CB6
_free.LIBCMT ref: 00AE2CC1
_free.LIBCMT ref: 00AE2CCC
_free.LIBCMT ref: 00AE2CD7
_free.LIBCMT ref: 00AE2CE2
_free.LIBCMT ref: 00AE2CED
_free.LIBCMT ref: 00AE2CFB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c911e1df2577868b928d8fde9274ca3e00832e6687cb4d949d6fd26371231007
Instruction ID: e4fdf30b1053dc86afaa364b1e3f85260641b54348fa03c6414a5c3a72733e21
Opcode Fuzzy Hash: c911e1df2577868b928d8fde9274ca3e00832e6687cb4d949d6fd26371231007
Instruction Fuzzy Hash: 2111E67610014CBFCB02EF56DA82EDD3BA9FF45350F4254A0FA489F222DA35EE509B90

Function 00B27DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B27FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00B27FC1
GetFileAttributesW.KERNEL32(?), ref: 00B27FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B28005
SetCurrentDirectoryW.KERNEL32(?), ref: 00B28017
SetCurrentDirectoryW.KERNEL32(?), ref: 00B28060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B280B0

Strings

*.*, xrefs: 00B28066

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 48daa51c5bf5392d620ea7cbc20216c188efacba39ead351b9971efded56bd55
Instruction ID: d2565f3a53e4564898f925998980d195dfce22d43828fe4a2521ccf602d7582d
Opcode Fuzzy Hash: 48daa51c5bf5392d620ea7cbc20216c188efacba39ead351b9971efded56bd55
Instruction Fuzzy Hash: BD81CF725482519BCB20EF14D8849AFB3ECFF89310F15489EF889D7251EB34DD498BA6

Function 00AB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00AB5C7A

Part of subcall function 00AB5D0A: GetClientRect.USER32(?,?), ref: 00AB5D30
Part of subcall function 00AB5D0A: GetWindowRect.USER32(?,?), ref: 00AB5D71
Part of subcall function 00AB5D0A: ScreenToClient.USER32(?,?), ref: 00AB5D99

GetDC.USER32 ref: 00AF46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AF4708
SelectObject.GDI32(00000000,00000000), ref: 00AF4716
SelectObject.GDI32(00000000,00000000), ref: 00AF472B
ReleaseDC.USER32(?,00000000), ref: 00AF4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AF47C4

Strings

U, xrefs: 00AF4693

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 146089fbff78fb6f18575021f534dac37194ebcc8f01609f4b0a31646ec73de3
Instruction ID: 2be4e7e51e5ec56b1e11bc86d9d7365a224cf0882046c9759ead09759df1725d
Opcode Fuzzy Hash: 146089fbff78fb6f18575021f534dac37194ebcc8f01609f4b0a31646ec73de3
Instruction Fuzzy Hash: 1571DF34800209DFCF219FA4C984AFB7BBAFF4A360F144269FE559A266C7318941DF50

Function 00B2359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00B235E4

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

LoadStringW.USER32(00B82390,?,00000FFF,?), ref: 00B2360A

Strings

Line %d (File "%s"):, xrefs: 00B2366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00B23724
"%s" (%d) : ==> %s:, xrefs: 00B23742
^ ERROR, xrefs: 00B236C9
Error: , xrefs: 00B236EF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8adb723bd25635f9f9abbf77520906f722d32e6f7b935b30fa7a1ffe05a3dd72
Instruction ID: 3f3fe0c67eee2ff956777dc1a3b27c2321b66400aff8fb635f12f86ed0253137
Opcode Fuzzy Hash: 8adb723bd25635f9f9abbf77520906f722d32e6f7b935b30fa7a1ffe05a3dd72
Instruction Fuzzy Hash: EC517F72800219BBCF15EBA0DD82EEEBBB8EF04700F544165F119721A2DB355B99DFA1

Function 00B2C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B2C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B2C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B2C2CA
GetLastError.KERNEL32 ref: 00B2C322
SetEvent.KERNEL32(?), ref: 00B2C336
InternetCloseHandle.WININET(00000000), ref: 00B2C341

Strings

, xrefs: 00B2C2BB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fd51b5ae4faff87f74b6c125439aae06bf11e79836bf0dbadc9b637d5cfecc84
Instruction ID: a9f70120743e8771c1ccbc49bf1e926f011c78954205a99014a48b447440067b
Opcode Fuzzy Hash: fd51b5ae4faff87f74b6c125439aae06bf11e79836bf0dbadc9b637d5cfecc84
Instruction Fuzzy Hash: 96319CB1600618AFD721DFA4AC88AAF7FFCFB4A744B10895EF44A93200DB70DD448B65

Function 00B1989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AF3AAF,?,?,Bad directive syntax error,00B4CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B198BC
LoadStringW.USER32(00000000,?,00AF3AAF,?), ref: 00B198C3

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B19987

Strings

Line %d (File "%s"):, xrefs: 00B1992D
Line %d:, xrefs: 00B19912
%s (%d) : ==> %s.: %s %s, xrefs: 00B198F1
Error: , xrefs: 00B19955
., xrefs: 00B1996D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 55c2c1071c57fa736cda96fe7978f2e518f669ec6cbfb44fd0425733967d2792
Instruction ID: 474583ef2ddbd4435ffe0518752a961928322ddda3d37bc4608b69e787d07941
Opcode Fuzzy Hash: 55c2c1071c57fa736cda96fe7978f2e518f669ec6cbfb44fd0425733967d2792
Instruction Fuzzy Hash: 0E21913280021EBFCF15AF90CD56EEE7BB9FF18700F444499F519660A2EB319A58DB51

Function 00B1209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00B120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B1214D

Strings

SHELLDLL_DefView, xrefs: 00B120CC
largeicons, xrefs: 00B120E1
details, xrefs: 00B120FB
list, xrefs: 00B1212F
smallicons, xrefs: 00B12115

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b07f71fffe881ea975bb233b546b57b99d9e28b10bab6226f6fee28121810541
Instruction ID: 0872b911bdb18501f9b4109acf7f2bac7bb3ee50e36288e71734a552b965f329
Opcode Fuzzy Hash: b07f71fffe881ea975bb233b546b57b99d9e28b10bab6226f6fee28121810541
Instruction Fuzzy Hash: 2D117A3A684302BAFA10A720DC06CFA37DCDB0A720B204096FB09B51F1FEB158B11514

Function 00AE8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d656d5dbd9d472ec0c505232867f66f586808164052275b509949b69a5558c
Instruction ID: 217950d0a25a1e5a64facdce853bc66541b5c70cfd356a5078a0252d04befc57
Opcode Fuzzy Hash: a8d656d5dbd9d472ec0c505232867f66f586808164052275b509949b69a5558c
Instruction Fuzzy Hash: 1EC1F374904389AFDF11EFAAC841BEEBBB4BF19310F444199F519AB392CB349941CB61

Function 00AECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00AECEB7
_free.LIBCMT ref: 00AECF22
_free.LIBCMT ref: 00AECF48
_free.LIBCMT ref: 00AECF71
_free.LIBCMT ref: 00AECFA9
_free.LIBCMT ref: 00AECFDA
_free.LIBCMT ref: 00AED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00AED09C
_free.LIBCMT ref: 00AED0B5

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: bb2ab027f1384b6b9b14774d422b261b8d8aa4704ca2dba11f68c3e756cfbd23
Instruction ID: c9610b7a687d19cfc60fe5cd26e743aa8075e12d452078fd25f1331624f08769
Opcode Fuzzy Hash: bb2ab027f1384b6b9b14774d422b261b8d8aa4704ca2dba11f68c3e756cfbd23
Instruction Fuzzy Hash: 756167729043C4AFDB25AFBA9D81B6E7BA9EF05370F04416DF94197282EA319D02C790

Function 00B450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B45186
ShowWindow.USER32(?,00000000), ref: 00B451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00B451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B451D1

Part of subcall function 00B46FBA: DeleteObject.GDI32(00000000), ref: 00B46FE6

GetWindowLongW.USER32(?,000000F0), ref: 00B4520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B4521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B4524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B45287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B45296

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 9433b96adb78505fcfc614f8130fb08d2d75e8e3eef4e519176701adb7d7392b
Instruction ID: 5c28e8d4e4e487754d9e818dcc96c2c07dc6dd4a4a036101b2e30c34c930bfc6
Opcode Fuzzy Hash: 9433b96adb78505fcfc614f8130fb08d2d75e8e3eef4e519176701adb7d7392b
Instruction Fuzzy Hash: 48518230A41E08BFEF309F24CC49B993BE5FB05721F148096F515A62E2C7B59B80EB41

Function 00AC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B06890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00B06901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B0691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00B0692D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: e686f0918628fabfb26aa12f4f556764514590f61d8eee1a28998ddfeb5bca11
Instruction ID: 1dcbdfced1941436a7baf462dd7affea26edc960626f2102ef9c0d9e1266204e
Opcode Fuzzy Hash: e686f0918628fabfb26aa12f4f556764514590f61d8eee1a28998ddfeb5bca11
Instruction Fuzzy Hash: E0518670600209EFDB208F28CC55FAA7BB5FB48750F118558F906972E0DB74EE91DB50

Function 00B2C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B2C182
GetLastError.KERNEL32 ref: 00B2C195
SetEvent.KERNEL32(?), ref: 00B2C1A9

Part of subcall function 00B2C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B2C272
Part of subcall function 00B2C253: GetLastError.KERNEL32 ref: 00B2C322
Part of subcall function 00B2C253: SetEvent.KERNEL32(?), ref: 00B2C336
Part of subcall function 00B2C253: InternetCloseHandle.WININET(00000000), ref: 00B2C341

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4378090369a32f877f87d1bd5f9d31c55876c77b365b7668d4455412e76c0f34
Instruction ID: 6b40047511a02543aa016ea9b9e40a007517dfb6c9eb22438082c391dd0158c2
Opcode Fuzzy Hash: 4378090369a32f877f87d1bd5f9d31c55876c77b365b7668d4455412e76c0f34
Instruction Fuzzy Hash: 22318B75201B11EFDB219FA5ED44A6ABFF8FF19700B00446DF95A93620DB31E914EBA0

Function 00B125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B13A57
Part of subcall function 00B13A3D: GetCurrentThreadId.KERNEL32 ref: 00B13A5E
Part of subcall function 00B13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B125B3), ref: 00B13A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B12601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B12605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B1260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B12623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B12627

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: dd8327e750d8a2fa4e9e1c3f2b9b556690d7bc1ee122b0064b57fa918ec23c77
Instruction ID: 33b6f074563d65ab7f6379227914aadfc09816fe0af3a214a4cae6e5e806fcec
Opcode Fuzzy Hash: dd8327e750d8a2fa4e9e1c3f2b9b556690d7bc1ee122b0064b57fa918ec23c77
Instruction Fuzzy Hash: B901D430391210BBFB1067689C8AF993F99EF4EF12F600001F358AF0D1CDF225848AA9

Function 00B11803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B11449,?,?,00000000), ref: 00B1180C
HeapAlloc.KERNEL32(00000000,?,00B11449,?,?,00000000), ref: 00B11813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B11449,?,?,00000000), ref: 00B11828
GetCurrentProcess.KERNEL32(?,00000000,?,00B11449,?,?,00000000), ref: 00B11830
DuplicateHandle.KERNEL32(00000000,?,00B11449,?,?,00000000), ref: 00B11833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B11449,?,?,00000000), ref: 00B11843
GetCurrentProcess.KERNEL32(00B11449,00000000,?,00B11449,?,?,00000000), ref: 00B1184B
DuplicateHandle.KERNEL32(00000000,?,00B11449,?,?,00000000), ref: 00B1184E
CreateThread.KERNEL32(00000000,00000000,00B11874,00000000,00000000,00000000), ref: 00B11868

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7efd9ce9b1bd24cafb274424bd8d0f9fb9913d3e888024d5d8fe59a59ff599c0
Instruction ID: 2859a263eb8e3fa8f3914c8e7e54dc0fea019e4a4df5fa52f5dbeffca3a2e847
Opcode Fuzzy Hash: 7efd9ce9b1bd24cafb274424bd8d0f9fb9913d3e888024d5d8fe59a59ff599c0
Instruction Fuzzy Hash: 6601AC75241304BFE650ABA9DC49F573BACFB8AB11F504411FA05DB1A1CA7099008B20

Function 00B3A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B1D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B1D501
Part of subcall function 00B1D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B1D50F
Part of subcall function 00B1D4DC: CloseHandle.KERNEL32(00000000), ref: 00B1D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B3A16D
GetLastError.KERNEL32 ref: 00B3A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B3A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B3A268
GetLastError.KERNEL32(00000000), ref: 00B3A273
CloseHandle.KERNEL32(00000000), ref: 00B3A2C4

Strings

SeDebugPrivilege, xrefs: 00B3A18F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f9ab8352199020201c6b4d9be482666b2c9934453cf597e1fa0a172dac0e707e
Instruction ID: e2769bb7fb417a2b782b878b942b3eafc21ea74228b851d6fce3f599968e3745
Opcode Fuzzy Hash: f9ab8352199020201c6b4d9be482666b2c9934453cf597e1fa0a172dac0e707e
Instruction Fuzzy Hash: 3B618E342046419FD710DF19C894F66BBE5AF45318F2484CCE4A68B7A3C776ED49CB92

Function 00B43886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B43925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B4393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B43954
_wcslen.LIBCMT ref: 00B43999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B439F4

Strings

SysListView32, xrefs: 00B438F7

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: adfa8e4713c0a8c092cc2eef2c2d86f930d4073f10f3947463726e17954a3b3f
Instruction ID: e7bca65972d394f9b0d544ec1a8c7fa2bcd5aba508086e4127276ddae28ad96b
Opcode Fuzzy Hash: adfa8e4713c0a8c092cc2eef2c2d86f930d4073f10f3947463726e17954a3b3f
Instruction Fuzzy Hash: 5A41F131A00208ABEF219FA4CC49BEE7BE9FF08750F140166F959E7281D7719E80DB90

Function 00B1BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B1BCFD
IsMenu.USER32(00000000), ref: 00B1BD1D
CreatePopupMenu.USER32 ref: 00B1BD53
GetMenuItemCount.USER32(01125878), ref: 00B1BDA4
InsertMenuItemW.USER32(01125878,?,00000001,00000030), ref: 00B1BDCC

Strings

0, xrefs: 00B1BCA8
2, xrefs: 00B1BD37

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e93b315b20f7cc3db3acdd3ff3d203e2a02bfd2347b68573e760bc07d834b314
Instruction ID: 7caf28d11efa196b3cc48254897cde4ff76a9c8ca433f6e184423afe8e32c489
Opcode Fuzzy Hash: e93b315b20f7cc3db3acdd3ff3d203e2a02bfd2347b68573e760bc07d834b314
Instruction Fuzzy Hash: 15518C70A00205ABDB18CFA8E8C5FEEBBF4FF59314F6441A9E411D7291D7709981CB61

Function 00B1C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B1C913

Strings

stop, xrefs: 00B1C8E4
warning, xrefs: 00B1C8FC
info, xrefs: 00B1C8B4
question, xrefs: 00B1C8CC
blank, xrefs: 00B1C895

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8811498b4ff28dd5d2d89e7c06d0090d21bd42e06336ab54f4562d2f38f93c0f
Instruction ID: 17857a88839b7798956b2998fc5c8fb755d204c5858f838160ba273ac670c0c3
Opcode Fuzzy Hash: 8811498b4ff28dd5d2d89e7c06d0090d21bd42e06336ab54f4562d2f38f93c0f
Instruction Fuzzy Hash: FC113D316C9706BBE7065B549CC3CEE3BDCDF153E4B9050ABF904AA2D2E7705E805264

Function 00B1ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B1ED2A
_wcslen.LIBCMT ref: 00B1ED3B
_wcslen.LIBCMT ref: 00B1ED79
_wcslen.LIBCMT ref: 00B1EDAF
_wcslen.LIBCMT ref: 00B1EDDF
_wcslen.LIBCMT ref: 00B1EDEF
_wcslen.LIBCMT ref: 00B1EE2B
_wcslen.LIBCMT ref: 00B1EE5A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: eb584c87254c0a5770b745201408a8f524eef7b56051e75b34902238e35c6f54
Instruction ID: 9d223bc801e240bf86f9753925c04b902d0ccb49c167d2086ce3005862ccd3c9
Opcode Fuzzy Hash: eb584c87254c0a5770b745201408a8f524eef7b56051e75b34902238e35c6f54
Instruction Fuzzy Hash: 6F418066C1021876DB11EBB48C8A9CFB7ACAF45710F508463F929E3221FB34E295C7E5

Function 00ACF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00ACF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00B0F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00B0F454

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c4f6839f03027ae9dfda58a9de2ac6fba7183078014e40ace50f5e160b0532e6
Instruction ID: 7f3b6a6536a17092c980041dc6ee3cb6d00189d6cfb5105945061249b61efd83
Opcode Fuzzy Hash: c4f6839f03027ae9dfda58a9de2ac6fba7183078014e40ace50f5e160b0532e6
Instruction Fuzzy Hash: E941E635608640BECF798B298888F7A7FE3BB56310F16447DE49757AA0CA35A980C711

Function 00B42D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B42D1B
GetDC.USER32(00000000), ref: 00B42D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B42D2E
ReleaseDC.USER32(00000000,00000000), ref: 00B42D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B42D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B42D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B45A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B42DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B42DE1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 912c234d122f881031673ac4a5329370498a92d084ec374fb552ae6c437f2d60
Instruction ID: c627af10fe7f9a3c7185c1e7944e85665bef6c9dfb46181f7386bbdd68314c73
Opcode Fuzzy Hash: 912c234d122f881031673ac4a5329370498a92d084ec374fb552ae6c437f2d60
Instruction Fuzzy Hash: 2E316D76202614BBEB214F508C89FEB3FA9FB0AB15F0440A5FE089B291CA759D50D7A4

Function 00B15622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B15637
_memcmp.LIBVCRUNTIME ref: 00B15659
_memcmp.LIBVCRUNTIME ref: 00B15671
_memcmp.LIBVCRUNTIME ref: 00B15684
_memcmp.LIBVCRUNTIME ref: 00B1569E
_memcmp.LIBVCRUNTIME ref: 00B156B1
_memcmp.LIBVCRUNTIME ref: 00B156C9
_memcmp.LIBVCRUNTIME ref: 00B156E4

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8100e8ee9056cd513dc3f56fc794fd95f225f521b61f8c0bf5f6b693c9558b07
Instruction ID: 0556098688b4bf30e1cf65a5bfe7e97daf8092b09154273819e544ef5f56f2b7
Opcode Fuzzy Hash: 8100e8ee9056cd513dc3f56fc794fd95f225f521b61f8c0bf5f6b693c9558b07
Instruction Fuzzy Hash: A421C961640A0AFBD62459219EC2FFA33ECEFA1384F8400A1FD059F682F760EE5091E5

Function 00B34FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00B3502E, 00B35383
Not an Object type, xrefs: 00B35007

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e42e99c5af57c636e8b3a8ae52eedcb66dc42f11e0f32bcfe2e9b8bd915f82bf
Instruction ID: 18237e6d2d4450eb0c8e6dc8ae50ffaf99315f207ad4738bdfeb49e7cf324ee2
Opcode Fuzzy Hash: e42e99c5af57c636e8b3a8ae52eedcb66dc42f11e0f32bcfe2e9b8bd915f82bf
Instruction Fuzzy Hash: EAD1A275A0060A9FDF24CF98C881BAEB7F5FF48344F2484A9E915AB281D771ED45CB90

Function 00AF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00AF15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00AF1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AF16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00AF16FB

Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AF1777
__freea.LIBCMT ref: 00AF17A2
__freea.LIBCMT ref: 00AF17AE

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2e91fe23b721600a12e26eb7591eb1795de800d1eaafa58d9cf377f7c0d56ad8
Instruction ID: 265ff15dd5bb83133ca94a473cd930bee8d9326f6430cb3f7109269ed67c7dba
Opcode Fuzzy Hash: 2e91fe23b721600a12e26eb7591eb1795de800d1eaafa58d9cf377f7c0d56ad8
Instruction Fuzzy Hash: E791B072E0021ADADF209FF5C981AFEBBB5AF49710F184659FA05E7150DB35DD408BA0

Function 00B34523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B34648
VariantInit.OLEAUT32(?), ref: 00B34749
VariantClear.OLEAUT32(?), ref: 00B34753
VariantClear.OLEAUT32(?), ref: 00B347B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B345D8, 00B34706, 00B347BE
Incorrect Object type in FOR..IN loop, xrefs: 00B3472C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: d0881ec1eebe201dc725d187fcebbe7a58c63025e84442bcf5e24c439962bcdc
Instruction ID: 0bc86f448b46c03877d10f53d5ccf9278419d0bdd590f8e3aeb0e9f8ee02c24a
Opcode Fuzzy Hash: d0881ec1eebe201dc725d187fcebbe7a58c63025e84442bcf5e24c439962bcdc
Instruction Fuzzy Hash: 57918071A00215EBDF20CFA4D885FAEBBF8EF46710F208599F515AB291D770AD45CBA0

Function 00B21187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00B2125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B21284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00B212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B2135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B21430

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 55f4abc563b309ab471d23da071cceac4396cf6d3da8eb789bc49146ef5587f4
Instruction ID: 73fd0a99bbbbf65f6b15e378917268919a13409479743c09ec006ae3e7741251
Opcode Fuzzy Hash: 55f4abc563b309ab471d23da071cceac4396cf6d3da8eb789bc49146ef5587f4
Instruction Fuzzy Hash: 8B911375A00228AFDB00DFA8E884BFE77F5FF15714F1048A9E918EB291D774A941CB90

Function 00AC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f9d626e40a7e87edc85086e11f60c83b89647c741dc8981cef47426ece3bbccc
Instruction ID: 1fcff28ea52dbeb4b9c08904a335da97489a32703826b3c7d869e90451857c87
Opcode Fuzzy Hash: f9d626e40a7e87edc85086e11f60c83b89647c741dc8981cef47426ece3bbccc
Instruction Fuzzy Hash: ED913771D40219EFCB10CFA9C988AEEBBB8FF49320F158059E515B7291D774AA42CB60

Function 00B33947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B3396B
CharUpperBuffW.USER32(?,?), ref: 00B33A7A
_wcslen.LIBCMT ref: 00B33A8A
VariantClear.OLEAUT32(?), ref: 00B33C1F

Part of subcall function 00B20CDF: VariantInit.OLEAUT32(00000000), ref: 00B20D1F
Part of subcall function 00B20CDF: VariantCopy.OLEAUT32(?,?), ref: 00B20D28
Part of subcall function 00B20CDF: VariantClear.OLEAUT32(?), ref: 00B20D34

Strings

Incorrect Parameter format, xrefs: 00B339A6, 00B33BA1
AUTOIT.ERROR, xrefs: 00B33A80, 00B33A85

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7d463eb06d3633d0487a67ed2f66de1610009bb16381c555dab007eee882ab11
Instruction ID: 5371572972eb8896449c08f3c0304a759c9fa6b12a7a4445abf808d6f0b97ff0
Opcode Fuzzy Hash: 7d463eb06d3633d0487a67ed2f66de1610009bb16381c555dab007eee882ab11
Instruction Fuzzy Hash: 8C9147756083019FC700DF24C58196ABBE4FF89714F2489ADF89A9B351DB30EE45CB92

Function 00B34BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B1000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?,?,00B1035E), ref: 00B1002B
Part of subcall function 00B1000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10046
Part of subcall function 00B1000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10054
Part of subcall function 00B1000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?), ref: 00B10064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B34C51
_wcslen.LIBCMT ref: 00B34D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B34DCF
CoTaskMemFree.OLE32(?), ref: 00B34DDA

Strings

NULL Pointer assignment, xrefs: 00B34E23, 00B34E52

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6a3931ec4053fea6564f671e46613feb463381599083e8a97b16ea9fc9d18bfd
Instruction ID: c091629dd0bf3b6737778eba18e23afa1e79bce20008d7e798a999b888cff830
Opcode Fuzzy Hash: 6a3931ec4053fea6564f671e46613feb463381599083e8a97b16ea9fc9d18bfd
Instruction Fuzzy Hash: 4E910971D002199FDF14DFA4D891AEEBBB8FF08310F2085AAE515A7251DB74AE45CF60

Function 00B420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B42183
GetMenuItemCount.USER32(00000000), ref: 00B421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B421DD
_wcslen.LIBCMT ref: 00B42213
GetMenuItemID.USER32(?,?), ref: 00B4224D
GetSubMenu.USER32(?,?), ref: 00B4225B

Part of subcall function 00B13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B13A57
Part of subcall function 00B13A3D: GetCurrentThreadId.KERNEL32 ref: 00B13A5E
Part of subcall function 00B13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B125B3), ref: 00B13A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B422E3

Part of subcall function 00B1E97B: Sleep.KERNEL32 ref: 00B1E9F3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 59ee8a1456d5599627d088369b07becfb49bdfaac0e5685c5f10d0436a11bd0d
Instruction ID: a26d2dedd8e9a91959792e1cee22fd6f23bf7b95a1bd3c5717324c8909e2bb2f
Opcode Fuzzy Hash: 59ee8a1456d5599627d088369b07becfb49bdfaac0e5685c5f10d0436a11bd0d
Instruction Fuzzy Hash: 38718E75A00205AFCB10DF64C981AAEBBF5FF88310F508499F916EB341DB74EE41AB90

Function 00B47E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011255A8), ref: 00B47F37
IsWindowEnabled.USER32(011255A8), ref: 00B47F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B4801E
SendMessageW.USER32(011255A8,000000B0,?,?), ref: 00B48051
IsDlgButtonChecked.USER32(?,?), ref: 00B48089
GetWindowLongW.USER32(011255A8,000000EC), ref: 00B480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B480C3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: e6f77e8a4446961a3ea8a421db454f18a736f9eea246dce5576a9c0667488113
Instruction ID: 189f1ab4db1832651c8944beef964c02545686e989886e9d53acb18176f0230c
Opcode Fuzzy Hash: e6f77e8a4446961a3ea8a421db454f18a736f9eea246dce5576a9c0667488113
Instruction Fuzzy Hash: A6718E34649244AFEB219F64C884FBA7BF9FF1A300F14449AE94597261CF31AE49EB50

Function 00B1AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B1AEF9
GetKeyboardState.USER32(?), ref: 00B1AF0E
SetKeyboardState.USER32(?), ref: 00B1AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B1AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B1AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B1AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B1B020

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7faa8f6969708e170d583f7519c556aa6a01230ba7aac6861d45dee8fea16bcc
Instruction ID: 4edafadb3e3e85a7a90c8b83c1eb7fb57ceacd75fad8df3b589abc42467d16f9
Opcode Fuzzy Hash: 7faa8f6969708e170d583f7519c556aa6a01230ba7aac6861d45dee8fea16bcc
Instruction Fuzzy Hash: 0351E4A16057D53DFB3642348C49BFA7FE99B06304F4884C9F1D9868C2C3A8ADC9D761

Function 00B1ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B1AD19
GetKeyboardState.USER32(?), ref: 00B1AD2E
SetKeyboardState.USER32(?), ref: 00B1AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B1ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B1ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B1AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B1AE38

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 482f1a31c317662b07ed690f1e2a28db4e2a1a4b68670c3012f34e579ce94a8a
Instruction ID: c8bed683c2fe9c5e670da99d25d09fc0cd3ea7c7a160dcf432e0f9f6c0b44761
Opcode Fuzzy Hash: 482f1a31c317662b07ed690f1e2a28db4e2a1a4b68670c3012f34e579ce94a8a
Instruction Fuzzy Hash: 4951F3A15067D53DFB3283348C85BFABEE8AB46300F5884D8E0D5568C2C6A4FCD8D762

Function 00AE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00AF3CD6,?,?,?,?,?,?,?,?,00AE5BA3,?,?,00AF3CD6,?,?), ref: 00AE5470
__fassign.LIBCMT ref: 00AE54EB
__fassign.LIBCMT ref: 00AE5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AF3CD6,00000005,00000000,00000000), ref: 00AE552C
WriteFile.KERNEL32(?,00AF3CD6,00000000,00AE5BA3,00000000,?,?,?,?,?,?,?,?,?,00AE5BA3,?), ref: 00AE554B
WriteFile.KERNEL32(?,?,00000001,00AE5BA3,00000000,?,?,?,?,?,?,?,?,?,00AE5BA3,?), ref: 00AE5584

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2b834c8fe09206eb8cc51efa1f0d7c3e239a23de31a0089d5d771f7c837cd10b
Instruction ID: 41108ff56d4a71d23c1713041c8ddf0a0be92b99ad1308abb3c26406da2503ec
Opcode Fuzzy Hash: 2b834c8fe09206eb8cc51efa1f0d7c3e239a23de31a0089d5d771f7c837cd10b
Instruction Fuzzy Hash: 1851B371E00689AFDB10CFB9E845AEEBBF9EF09304F14415AF555E7291D7309A41CB60

Function 00AD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00AD2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00AD2D53
_ValidateLocalCookies.LIBCMT ref: 00AD2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00AD2E0C
_ValidateLocalCookies.LIBCMT ref: 00AD2E61

Strings

csm, xrefs: 00AD2DF6

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2e38d395779904f264445258fe9e8b9dfe154fb665ea2d289783b95978af3bff
Instruction ID: a631aa8298e4507b582c045ef4d1ddcd688da8b136c778aa75585869caf9da72
Opcode Fuzzy Hash: 2e38d395779904f264445258fe9e8b9dfe154fb665ea2d289783b95978af3bff
Instruction Fuzzy Hash: AE41A335A00209ABCF10DF68C845B9EBFB5BF54324F148196E8566B392DB31AE05CBD1

Function 00B310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B3307A
Part of subcall function 00B3304E: _wcslen.LIBCMT ref: 00B3309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B31112
WSAGetLastError.WSOCK32 ref: 00B31121
WSAGetLastError.WSOCK32 ref: 00B311C9
closesocket.WSOCK32(00000000), ref: 00B311F9

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 7fe681a00daaa74a8619dc0c8528991b76f922498fde7348dfad1664b52e4f38
Instruction ID: bb066e0b5db23870e454008fe9ca8f6ab8623e78f3d1aff3e5bf7483b9dc91f8
Opcode Fuzzy Hash: 7fe681a00daaa74a8619dc0c8528991b76f922498fde7348dfad1664b52e4f38
Instruction Fuzzy Hash: AB41F935600604AFD7109F18C885BE9BBEDFF45724F248595FD05AB291CB70AE41CBE1

Function 00B1CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B1CF22,?), ref: 00B1DDFD

Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B1CF22,?), ref: 00B1DE16

lstrcmpiW.KERNEL32(?,?), ref: 00B1CF45
MoveFileW.KERNEL32(?,?), ref: 00B1CF7F
_wcslen.LIBCMT ref: 00B1D005
_wcslen.LIBCMT ref: 00B1D01B
SHFileOperationW.SHELL32(?), ref: 00B1D061

Strings

\*.*, xrefs: 00B1CFF3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d8fff306e5b39430295ac98b5c9ece97c36616ffebd55d658bb87d0488c3f13f
Instruction ID: 628efb422f29ae71dd91ae29c3e56bfe1dedca4564de46b1141ace14f507f262
Opcode Fuzzy Hash: d8fff306e5b39430295ac98b5c9ece97c36616ffebd55d658bb87d0488c3f13f
Instruction Fuzzy Hash: DC4134719452195FDF12EFA4DA81ADEBBF9AF08340F5000E6E509EB142EA34E789CB50

Function 00B42DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B42E1C
GetWindowLongW.USER32(?,000000F0), ref: 00B42E4F
GetWindowLongW.USER32(?,000000F0), ref: 00B42E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B42EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B42EE0
GetWindowLongW.USER32(?,000000F0), ref: 00B42EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B42F0B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e50cfa18b5ede03cabaf2782766b0bddedca4ee84c3f36b9d7c59329834086c2
Instruction ID: 38db736c9df45ebfb0ac895428e5a3ddb86e4e2840c08351b782aee4afde7b2d
Opcode Fuzzy Hash: e50cfa18b5ede03cabaf2782766b0bddedca4ee84c3f36b9d7c59329834086c2
Instruction Fuzzy Hash: AC311534686141AFDB20CF5CDC85F6537E4FB8AB10F9501A4F9148B2B2CB71AE41EB01

Function 00B17726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B17769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B1778F
SysAllocString.OLEAUT32(00000000), ref: 00B17792
SysAllocString.OLEAUT32(?), ref: 00B177B0
SysFreeString.OLEAUT32(?), ref: 00B177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00B177DE
SysAllocString.OLEAUT32(?), ref: 00B177EC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ac47d769b58195bc571d1f77a6276f0ab0722c17b7546b097cba2739b374fe70
Instruction ID: c05c827434b7c065c646e11b7be10b65609b089e1de3818fa494c8c20266cdd8
Opcode Fuzzy Hash: ac47d769b58195bc571d1f77a6276f0ab0722c17b7546b097cba2739b374fe70
Instruction Fuzzy Hash: 0A21D13A604219AFDF00DFA8CC88CFB77ECFB09760B408065B915DB290DA70DD8187A0

Function 00B177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B17842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B17868
SysAllocString.OLEAUT32(00000000), ref: 00B1786B
SysAllocString.OLEAUT32 ref: 00B1788C
SysFreeString.OLEAUT32 ref: 00B17895
StringFromGUID2.OLE32(?,?,00000028), ref: 00B178AF
SysAllocString.OLEAUT32(?), ref: 00B178BD

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7d0c42f34f35f295574ff97ffa0cf9ced3ac153dade2468cb2cb3cbd215d2553
Instruction ID: 8812ea51237ecb8821493df9baa96956770be9c7489497f361430a3ca9bb4505
Opcode Fuzzy Hash: 7d0c42f34f35f295574ff97ffa0cf9ced3ac153dade2468cb2cb3cbd215d2553
Instruction Fuzzy Hash: 1321A936608204AF9B10AFA9CC8CDEA7BFCFB097607508065B915CB2A1DA74DD81CB74

Function 00B204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B2052E

Strings

nul, xrefs: 00B20567

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 89c670593ba2e4c2885fd71bceb7f6c27b1dfd2c46f195118ca353ec1eb640d4
Instruction ID: 5ca439c289fb2fc03a10db3de627ca599fb381133414327e4ad6b436537196dd
Opcode Fuzzy Hash: 89c670593ba2e4c2885fd71bceb7f6c27b1dfd2c46f195118ca353ec1eb640d4
Instruction Fuzzy Hash: 0821B4746103199FCB20AF28EC84A9A7BF4FF55720F204A59F8A5D31E1D7B09940CF60

Function 00B205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B20601

Strings

nul, xrefs: 00B20639

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b3bc4d1f8f1c0e9ea89729513dcdde6552447009632faed0e7712a7b7b4492a8
Instruction ID: 6752d5a8542a22acc5156de34578ce5aee49c357287a8a132b30f855dd3b7a84
Opcode Fuzzy Hash: b3bc4d1f8f1c0e9ea89729513dcdde6552447009632faed0e7712a7b7b4492a8
Instruction Fuzzy Hash: 5021B5355103259FDB21AF68EC44A5A77F4FF95720F200A59F8A5E32E5DBB09960CB10

Function 00B440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AB604C
Part of subcall function 00AB600E: GetStockObject.GDI32(00000011), ref: 00AB6060
Part of subcall function 00AB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B44112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B4411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B4412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B44139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B44145

Strings

Msctls_Progress32, xrefs: 00B440E3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d875c179de524c2be6b5faa18ae3fe2c7f0288af023493235caf26ead6d07672
Instruction ID: b2d29577e8426096f3cbc090d6385c00fdb2abec3e205ed7f3773b7634e75a67
Opcode Fuzzy Hash: d875c179de524c2be6b5faa18ae3fe2c7f0288af023493235caf26ead6d07672
Instruction Fuzzy Hash: 0D11B6B114011DBEEF119F64CC85EE77F9DEF08798F018111BA18A6150CB729C21DBA4

Function 00AED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AED7A3: _free.LIBCMT ref: 00AED7CC

_free.LIBCMT ref: 00AED82D

Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0

_free.LIBCMT ref: 00AED838
_free.LIBCMT ref: 00AED843
_free.LIBCMT ref: 00AED897
_free.LIBCMT ref: 00AED8A2
_free.LIBCMT ref: 00AED8AD
_free.LIBCMT ref: 00AED8B8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: f894f3406d574476957c018d86e37cfdbe4108d26cdb96e5dce3b8309d30aa41
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 53114271540B88BAD631BFF2CE47FCB7BDCAF44700F404825B699AA493DA79B5058760

Function 00B1DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B1DA74
LoadStringW.USER32(00000000), ref: 00B1DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B1DA91
LoadStringW.USER32(00000000), ref: 00B1DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B1DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B1DAB9

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7930abcb2aa02d6b44bd430638d653d456a1ebef74f442b9ac5603f6433c5e63
Instruction ID: 616a4ce5e47b0edbe41b82311d0a8fecfb1313657e53c7a836deb8f0e920e8b0
Opcode Fuzzy Hash: 7930abcb2aa02d6b44bd430638d653d456a1ebef74f442b9ac5603f6433c5e63
Instruction Fuzzy Hash: D70162F65002087FE790DBA09D89EF737ACEB09B01F404495B706E3041EA749E844F74

Function 00B2096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0111D3C8,0111D3C8), ref: 00B2097B
EnterCriticalSection.KERNEL32(0111D3A8,00000000), ref: 00B2098D
TerminateThread.KERNEL32(?,000001F6), ref: 00B2099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00B209A9
CloseHandle.KERNEL32(?), ref: 00B209B8
InterlockedExchange.KERNEL32(0111D3C8,000001F6), ref: 00B209C8
LeaveCriticalSection.KERNEL32(0111D3A8), ref: 00B209CF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 87c72d2a63507ae869a0c896fb09370ed637c9194d290ff190a35e51f428a79c
Instruction ID: dbe8e93059e19f520d6b702bba63a3643bff7b5d8dfa238079ffd3df87aace02
Opcode Fuzzy Hash: 87c72d2a63507ae869a0c896fb09370ed637c9194d290ff190a35e51f428a79c
Instruction Fuzzy Hash: 25F03131543912BBD7916F98EE8CBD67F35FF06B02F501015F102518A1CBB59565CF90

Function 00AB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AB5D30
GetWindowRect.USER32(?,?), ref: 00AB5D71
ScreenToClient.USER32(?,?), ref: 00AB5D99
GetClientRect.USER32(?,?), ref: 00AB5ED7
GetWindowRect.USER32(?,?), ref: 00AB5EF8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4121344bbd5434d054e3f73436bf66179f71e3cb683a1b63964605f47c5d23f3
Instruction ID: ec9247311271a78463605ea483e92843d30f68666948a4770c2ed92d6c73cfd7
Opcode Fuzzy Hash: 4121344bbd5434d054e3f73436bf66179f71e3cb683a1b63964605f47c5d23f3
Instruction Fuzzy Hash: 2BB15538A00A4ADBDB10CFB9C4807EAB7F5BF58310F14851AE9A9D7250DB34EA51DB94

Function 00AE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00AE00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AE00D6
__allrem.LIBCMT ref: 00AE00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AE010B
__allrem.LIBCMT ref: 00AE0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AE0140

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 3a4be85b8870f14f3eeec1cc4bc7e6d642a92a9f6cf8c3b9a618d2811ba31c02
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 9F810572A007469FE720AF6ACD41B6B73F9EF45724F24463AF512DA381E7B0D9408790

Function 00B31D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B33149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00B3101C,00000000,?,?,00000000), ref: 00B33195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B31DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B31DE1
WSAGetLastError.WSOCK32 ref: 00B31DF2
inet_ntoa.WSOCK32(?), ref: 00B31E8C
htons.WSOCK32(?,?,?,?,?), ref: 00B31EDB
_strlen.LIBCMT ref: 00B31F35

Part of subcall function 00B139E8: _strlen.LIBCMT ref: 00B139F2

Part of subcall function 00AB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00ACCF58,?,?,?), ref: 00AB6DBA
Part of subcall function 00AB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00ACCF58,?,?,?), ref: 00AB6DED

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 0e910e66a51202dd4269397540c1575097120c15b897999a8424af37b990858b
Instruction ID: 6e6fd3a4ac4d7c1a3e4ed14993e5cea049d12a74cf336ce11be2318a9faafe04
Opcode Fuzzy Hash: 0e910e66a51202dd4269397540c1575097120c15b897999a8424af37b990858b
Instruction Fuzzy Hash: 2AA1CF31504340AFC324DF28C895F6A7BE9EF85318F64899CF4565B2A2CB71ED46CB92

Function 00AE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AD82D9,00AD82D9,?,?,?,00AE644F,00000001,00000001,8BE85006), ref: 00AE6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AE644F,00000001,00000001,8BE85006,?,?,?), ref: 00AE62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AE63D8
__freea.LIBCMT ref: 00AE63E5

Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852

__freea.LIBCMT ref: 00AE63EE
__freea.LIBCMT ref: 00AE6413

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fb9eb8d6ef61d6097488a7e75065f1a2c1f0f78a8e1dbce34d377c3829520c19
Instruction ID: 85522b3e6b61541f7aaf5662b44c26e539cf40f3b04f9153c027ee53cd6eea6f
Opcode Fuzzy Hash: fb9eb8d6ef61d6097488a7e75065f1a2c1f0f78a8e1dbce34d377c3829520c19
Instruction Fuzzy Hash: 5051D372A00297ABDF258F66CD81EAF7BA9EB64790F154A29FD05DB180DB34DC40C660

Function 00B3BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3BD25
RegCloseKey.ADVAPI32(00000000), ref: 00B3BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B3BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B3BDF3
RegCloseKey.ADVAPI32(?), ref: 00B3BDFF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 0c2a98853004c8a5cc3e2d6c7d6337f9c0885f6ff556e70eb1a44d57f4e34a8c
Instruction ID: db31efdb257d6bc50fe29dfdeaba2469fc5d8be6b4aaf7806de8cb3a3551c755
Opcode Fuzzy Hash: 0c2a98853004c8a5cc3e2d6c7d6337f9c0885f6ff556e70eb1a44d57f4e34a8c
Instruction Fuzzy Hash: AF819230208241AFD714DF24C495E6ABBE9FF84308F2449ADF5594B2A2DB31ED45CB92

Function 00B0F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00B0F7B9
SysAllocString.OLEAUT32(00000001), ref: 00B0F860
VariantCopy.OLEAUT32(00B0FA64,00000000), ref: 00B0F889
VariantClear.OLEAUT32(00B0FA64), ref: 00B0F8AD
VariantCopy.OLEAUT32(00B0FA64,00000000), ref: 00B0F8B1
VariantClear.OLEAUT32(?), ref: 00B0F8BB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ec43a11133e37d2af0e872757c88ee81fda843c2198ffb32c36e7afab9b5362e
Instruction ID: 2b032021fa67b9c3735910e02b61092a210fbf1eb3fd0a4dde7dff7baebc6793
Opcode Fuzzy Hash: ec43a11133e37d2af0e872757c88ee81fda843c2198ffb32c36e7afab9b5362e
Instruction Fuzzy Hash: B051E235700312AACF30AB65D895B79BBE8EF45710B2094E6E906DF6D2DB70CC40C7A6

Function 00B2910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00B294E5
_wcslen.LIBCMT ref: 00B29506
_wcslen.LIBCMT ref: 00B2952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00B29585

Strings

X, xrefs: 00B29412

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1f90b10ae93028740ce273496116797394068f999640aa11a98b864d56e55921
Instruction ID: 03d9bf9539d4ef950f45caae97c701e785cb325666424d26a8cb86148182f9ef
Opcode Fuzzy Hash: 1f90b10ae93028740ce273496116797394068f999640aa11a98b864d56e55921
Instruction Fuzzy Hash: 34E180316043109FD724DF24D981AAAB7E4FF85314F1489ADF89E9B2A2DB31DD05CB92

Function 00AC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2

BeginPaint.USER32(?,?,?), ref: 00AC9241
GetWindowRect.USER32(?,?), ref: 00AC92A5
ScreenToClient.USER32(?,?), ref: 00AC92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AC92D3
EndPaint.USER32(?,?,?,?,?), ref: 00AC9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B071EA

Part of subcall function 00AC9339: BeginPath.GDI32(00000000), ref: 00AC9357

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 698cea3bc03864fda47d6e06d31c0abc782d7f5884c51b2e872f74788cba9ebf
Instruction ID: 9e65f017ad7b67702dc363d0c748a6a66d9fcae833e2b7edabd173451518d41f
Opcode Fuzzy Hash: 698cea3bc03864fda47d6e06d31c0abc782d7f5884c51b2e872f74788cba9ebf
Instruction Fuzzy Hash: BC418A30105200AFD7109F28C888FAB7BA8FB46720F04066DF9A49B2F1CB31A946DB61

Function 00B207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B2080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B20847
EnterCriticalSection.KERNEL32(?), ref: 00B20863
LeaveCriticalSection.KERNEL32(?), ref: 00B208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B20921

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: bf5ef6642be2ffde9656b0f7d6086d4f259158519765d5b26d20ca4be2f8199b
Instruction ID: 7c7ef555065d41b9b36a4c2af7b992eda9103014183f57d0dd84cfd2ab5d5ee6
Opcode Fuzzy Hash: bf5ef6642be2ffde9656b0f7d6086d4f259158519765d5b26d20ca4be2f8199b
Instruction Fuzzy Hash: 46415971900205AFDF14AF54DC85A6A7BB9FF04700F1440A9E905AB297DB70DE60DBA4

Function 00B481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B0F3AB,00000000,?,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00B4824C
EnableWindow.USER32(?,00000000), ref: 00B48272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B482D1
ShowWindow.USER32(?,00000004), ref: 00B482E5
EnableWindow.USER32(?,00000001), ref: 00B4830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B4832F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d89e539e72f517a5248aaa85cbfced68da2da8c8a3bb328c96761cf39eb4e79f
Instruction ID: 5cc2985bc9183072bec65f5bc1b7c2ac5aafc4983a4db2979573239e1eec4c5d
Opcode Fuzzy Hash: d89e539e72f517a5248aaa85cbfced68da2da8c8a3bb328c96761cf39eb4e79f
Instruction Fuzzy Hash: DC41B634602644AFDB12CF18C895BE87BE0FB46B14F1841E9E5484B272CB71AE42DF50

Function 00B14C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B14C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B14CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B14CEA
_wcslen.LIBCMT ref: 00B14D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B14D10
_wcsstr.LIBVCRUNTIME ref: 00B14D1A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b58f4cbb85859c160d847f7725aa25c7a7c953dde9421ea5e95d7532ddfcdae3
Instruction ID: 1ad17d738241c1722d34f9913f5b1fe1ea6db3cc8b173c5a071dd9a2c40df95e
Opcode Fuzzy Hash: b58f4cbb85859c160d847f7725aa25c7a7c953dde9421ea5e95d7532ddfcdae3
Instruction Fuzzy Hash: DF21F575205200BBEB155B25AD49EBB7BE8DF45B50F1180B9F805CB192EF61CD4092A0

Function 00B2581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2

_wcslen.LIBCMT ref: 00B2587B
CoInitialize.OLE32(00000000), ref: 00B25995
CoCreateInstance.OLE32(00B4FCF8,00000000,00000001,00B4FB68,?), ref: 00B259AE
CoUninitialize.OLE32 ref: 00B259CC

Strings

.lnk, xrefs: 00B25876, 00B258C1, 00B25985

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: e504aa0774c0df617a4c918217f628715d546a92af4865f69640b12a970b83e5
Instruction ID: 6563bc8d5c8ea411b280c9bbbb43f01a654c7f67fa7c6df5d9c9741b10971638
Opcode Fuzzy Hash: e504aa0774c0df617a4c918217f628715d546a92af4865f69640b12a970b83e5
Instruction Fuzzy Hash: 77D182706087119FC724DF24D584A6ABBE5FF89710F10899DF88A9B362DB31EC45CB92

Function 00B1175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B10FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B10FCA
Part of subcall function 00B10FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B10FD6
Part of subcall function 00B10FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B10FE5
Part of subcall function 00B10FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B10FEC
Part of subcall function 00B10FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B11002

GetLengthSid.ADVAPI32(?,00000000,00B11335), ref: 00B117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B117BA
HeapAlloc.KERNEL32(00000000), ref: 00B117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B117DA
GetProcessHeap.KERNEL32(00000000,00000000,00B11335), ref: 00B117EE
HeapFree.KERNEL32(00000000), ref: 00B117F5

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d1dd6d6ee5cf2afd192264f3c1104e19c07421d885155473d01b2d5d87f0377c
Instruction ID: 56798bce49983ad08bc427b653d47f1c7fdf6e377d3ca0fe709729bec9cafa25
Opcode Fuzzy Hash: d1dd6d6ee5cf2afd192264f3c1104e19c07421d885155473d01b2d5d87f0377c
Instruction Fuzzy Hash: 0C11AF75502205EFDB10DFA8CC49BEE7BE9FB42755F504468F681A7250CB359E80CB60

Function 00B114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00B11506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B11515
CloseHandle.KERNEL32(00000004), ref: 00B11520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B1154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B11563

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 40fb87d0656c2cce70d374d40995b1e15a01ed097b65e2324c7acdeadc360525
Instruction ID: 2494bbceb3caf3c066777411e7413f1079fdb9350042035572eec760e63b97dd
Opcode Fuzzy Hash: 40fb87d0656c2cce70d374d40995b1e15a01ed097b65e2324c7acdeadc360525
Instruction Fuzzy Hash: F3115976602209ABDF11CF98DD49BDE7BA9FF49B04F044064FA05A2160C775CEA0DB60

Function 00AD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AD3379,00AD2FE5), ref: 00AD3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AD339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AD33B7
SetLastError.KERNEL32(00000000,?,00AD3379,00AD2FE5), ref: 00AD3409

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1e4260d3287bfc920cc5bfa65752948c94a4ff55bc151d0e2a4c0a72db0b3829
Instruction ID: 719a306d481be65cb86d70bdd36074f669ccd0cc26224a90649c83912a6bc2df
Opcode Fuzzy Hash: 1e4260d3287bfc920cc5bfa65752948c94a4ff55bc151d0e2a4c0a72db0b3829
Instruction Fuzzy Hash: E2012433209311BEAE262BB47E856673E94FB05779320022FF412863F0EF218E019286

Function 00AE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AE5686,00AF3CD6,?,00000000,?,00AE5B6A,?,?,?,?,?,00ADE6D1,?,00B78A48), ref: 00AE2D78
_free.LIBCMT ref: 00AE2DAB
_free.LIBCMT ref: 00AE2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00ADE6D1,?,00B78A48,00000010,00AB4F4A,?,?,00000000,00AF3CD6), ref: 00AE2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00ADE6D1,?,00B78A48,00000010,00AB4F4A,?,?,00000000,00AF3CD6), ref: 00AE2DEC
_abort.LIBCMT ref: 00AE2DF2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8a30faf23c6965837871ae2e8f83aadb04840eda91d7fd7023bfaec3e8b05bc8
Instruction ID: 521a4690418bae53726ec606cbcec4d710e4f59aa6c01d4ba470d57664edf827
Opcode Fuzzy Hash: 8a30faf23c6965837871ae2e8f83aadb04840eda91d7fd7023bfaec3e8b05bc8
Instruction Fuzzy Hash: 1FF0283690568027D6523737BD4AF5A2A6DBFC2BA0F314028FA24D31E2EE3489014320

Function 00B48A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AC9693
Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96A2
Part of subcall function 00AC9639: BeginPath.GDI32(?), ref: 00AC96B9
Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B48A4E
LineTo.GDI32(?,00000003,00000000), ref: 00B48A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B48A70
LineTo.GDI32(?,00000000,00000003), ref: 00B48A80
EndPath.GDI32(?), ref: 00B48A90
StrokePath.GDI32(?), ref: 00B48AA0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c5c9f293d2a4be07704f2305a997fef838ca33781220c96f384e88bfa4ddac0c
Instruction ID: 70ff67ca2447004e461260e4e8efc2a643eb6c1c266d773915e43f03ab9b7e2f
Opcode Fuzzy Hash: c5c9f293d2a4be07704f2305a997fef838ca33781220c96f384e88bfa4ddac0c
Instruction Fuzzy Hash: E3110976001148FFDB129F94DC88EAA7FACFB09350F048052FA199A1A1CB719E55DBA0

Function 00B151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B15218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B15229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B15230
ReleaseDC.USER32(00000000,00000000), ref: 00B15238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B1524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B15261

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: bbd6955ed1384cf42175952df5276a74e6fefe6d3cc8a9cf6e8768c811094cdd
Instruction ID: 8aaded497f3ad952278b8365829afa691d4fde413275adc9c4b0990a12932619
Opcode Fuzzy Hash: bbd6955ed1384cf42175952df5276a74e6fefe6d3cc8a9cf6e8768c811094cdd
Instruction Fuzzy Hash: 24018F75A01709BBEB109BA59C49A5EBFB8FB49751F044065FA04A7290DA709900CBA0

Function 00AB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB1C22

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e7c32529dd99d47d20da146416c0309d7d954e9533f54af4c1dd2baa644f40b2
Instruction ID: 43573fcf5b6f4ec1f2a2a78a37e8350881acb7c63b9f4302ff48a3f5d903e625
Opcode Fuzzy Hash: e7c32529dd99d47d20da146416c0309d7d954e9533f54af4c1dd2baa644f40b2
Instruction Fuzzy Hash: E90144B0902B5ABDE3008F6A8C85A52FEA8FF19754F00411BA15C4BA42C7B5A864CBE5

Function 00B1EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B1EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B1EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00B1EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B1EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B1EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B1EB75

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 4b5abe5627a95f30508dd26ce58781423643b65a12d17eae8dd64b1d94392079
Instruction ID: b98ab1f61ec83bd1b207fc52b42d0bf589b6d1f13ed429170eae3f53b7263c24
Opcode Fuzzy Hash: 4b5abe5627a95f30508dd26ce58781423643b65a12d17eae8dd64b1d94392079
Instruction Fuzzy Hash: 85F0177A642158BBE6615B629C0EEEB3E7CFBCBF11F004158FA11E20919BA05B0186B5

Function 00B07439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B07452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B07469
GetWindowDC.USER32(?), ref: 00B07475
GetPixel.GDI32(00000000,?,?), ref: 00B07484
ReleaseDC.USER32(?,00000000), ref: 00B07496
GetSysColor.USER32(00000005), ref: 00B074B0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: ff4190dc1fc10b6d6727a7057ac1bc2212495e06c92a12f8100d2383f27a451e
Instruction ID: 81c0b5cde064c5e1fcb46a240f3ae426e9e69a8c76d0d888f9530a39fd1da82b
Opcode Fuzzy Hash: ff4190dc1fc10b6d6727a7057ac1bc2212495e06c92a12f8100d2383f27a451e
Instruction Fuzzy Hash: 67017435801215EFEB905FA4DC09BAEBFB5FB05721F2240A4F916A31A1CF312E41EB10

Function 00B11874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B1187F
UnloadUserProfile.USERENV(?,?), ref: 00B1188B
CloseHandle.KERNEL32(?), ref: 00B11894
CloseHandle.KERNEL32(?), ref: 00B1189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B118A5
HeapFree.KERNEL32(00000000), ref: 00B118AC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c4657fa840b04385ba7206ea63ed9678d9dad964e7a0d7580c62de3fcedd3a75
Instruction ID: 60fa885d85140ea3257df57c434c72636f6a4316f145f90d2521a83fe8033288
Opcode Fuzzy Hash: c4657fa840b04385ba7206ea63ed9678d9dad964e7a0d7580c62de3fcedd3a75
Instruction Fuzzy Hash: 8CE0E53A206101BBDB415FA9ED0C90ABF39FF4AF22B108220F22592070CF329520DF50

Function 00B1C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B1C6EE
_wcslen.LIBCMT ref: 00B1C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B1C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B1C7CA

Strings

0, xrefs: 00B1C6AF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 048a0ba2ee4a57b5486ee8d6b7f3b855cb8788ee8e160b5643a405b7cd892b09
Instruction ID: ee0c9748a277a205301010ae7bdca604a8cd024d040cc46d7bf9258fc6f440db
Opcode Fuzzy Hash: 048a0ba2ee4a57b5486ee8d6b7f3b855cb8788ee8e160b5643a405b7cd892b09
Instruction Fuzzy Hash: C551DF716853009BD7119F28C885BEA7BE8EF49310F440AADF9A5D31E1DBA0DD84CB52

Function 00B3AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00B3AEA3

Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625

GetProcessId.KERNEL32(00000000), ref: 00B3AF38
CloseHandle.KERNEL32(00000000), ref: 00B3AF67

Strings

@, xrefs: 00B3AE72
<, xrefs: 00B3AE6B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e49685e239ead7e9c86a418a1a6957485db1e7e46c6d2e3a0b6425cdf99ce118
Instruction ID: 6d96da2aa5b4a6d89989ac39a7fdaaed19d3590e101d89e845de1473f5e2a7a3
Opcode Fuzzy Hash: e49685e239ead7e9c86a418a1a6957485db1e7e46c6d2e3a0b6425cdf99ce118
Instruction Fuzzy Hash: 98719B70A00215DFCB14EF64C585A9EBBF4FF08310F248499E856AB7A2CB74ED45CB91

Function 00B1719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B17206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B1723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B1724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B172CF

Strings

DllGetClassObject, xrefs: 00B17242

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 982882428716e48986bd4022f0d529183482700f78c11cf0b912393fe79cd2fd
Instruction ID: d8fe2093ddff224fea67a46f37b731e8a3236b62ad23d8cab5f1d049f32a8c62
Opcode Fuzzy Hash: 982882428716e48986bd4022f0d529183482700f78c11cf0b912393fe79cd2fd
Instruction Fuzzy Hash: 30412D71644204AFDB15CF54C884ADA7BF9EF4A710F5480E9BD09DF20ADBB1DA85CBA0

Function 00B43D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B43E35
IsMenu.USER32(?), ref: 00B43E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B43E92
DrawMenuBar.USER32 ref: 00B43EA5

Strings

0, xrefs: 00B43D89

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 24207a8d29441f69605996eae14ec977ddaea02b8392965de12a3fd506b7b164
Instruction ID: 309715a3735cb3e3184e67c37b31aecfb2b52e18c4d6e9b41099f3bea5423f21
Opcode Fuzzy Hash: 24207a8d29441f69605996eae14ec977ddaea02b8392965de12a3fd506b7b164
Instruction Fuzzy Hash: 26416875A02209EFDB10DF54D884AAABBF9FF49750F0840A9E915AB250D730AF45DF60

Function 00B11DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B11E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B11E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B11EA9

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

Strings

ListBox, xrefs: 00B11E25
ComboBox, xrefs: 00B11DF0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 39ee5045d53ff051acbf80a332373485a5dd34997459de3cb025e4b0243918e5
Instruction ID: 03df9bb9ccf77baf1efc498ffedea251850487c2ad74e4c6ad708f42a8ac32ee
Opcode Fuzzy Hash: 39ee5045d53ff051acbf80a332373485a5dd34997459de3cb025e4b0243918e5
Instruction Fuzzy Hash: 7E216B72A00104BFDB14ABE4CD85DFFBBFCEF46350B504559F925A31E1DB344A459620

Function 00B3C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B3C9F1
_wcslen.LIBCMT ref: 00B3CA68
_wcslen.LIBCMT ref: 00B3CA9E
_wcslen.LIBCMT ref: 00B3CAF9
_wcslen.LIBCMT ref: 00B3CB2F
_wcslen.LIBCMT ref: 00B3CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00B3CA62, 00B3CA67
HKLM, xrefs: 00B3CA98, 00B3CA9D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: a5ab53210296d1533b9da6d6d98201276d8d2eb750ea4ef96a113caa4489658d
Instruction ID: c465cfc8b0637bb99fd4ce8e8cbf1c53611e42d48a504a3d7f3dd3d3057e9f71
Opcode Fuzzy Hash: a5ab53210296d1533b9da6d6d98201276d8d2eb750ea4ef96a113caa4489658d
Instruction Fuzzy Hash: 5131F533A001694BCB20EFEC89500BE3BD1DBA1750F3540A9E855BB35DEA71CD40D3A0

Function 00B42F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B42F8D
LoadLibraryW.KERNEL32(?), ref: 00B42F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B42FA9
DestroyWindow.USER32(?), ref: 00B42FB1

Strings

SysAnimate32, xrefs: 00B42F68

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 898c6476327b79f400c26c4fad7b9144e19b5b62b83b145de945667f8fd122bf
Instruction ID: b225a66547a72a6f7c25d1aeba67034baf5c1870d581b73b19cb4cca37426386
Opcode Fuzzy Hash: 898c6476327b79f400c26c4fad7b9144e19b5b62b83b145de945667f8fd122bf
Instruction Fuzzy Hash: 7E219A71200209ABEB104F64DC80EBB3BFDEB69764F904698F950D31A0D771DD95B760

Function 00AD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AD4D1E,00AE28E9,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002), ref: 00AD4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AD4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00AD4D1E,00AE28E9,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002,00000000), ref: 00AD4DC3

Strings

CorExitProcess, xrefs: 00AD4D98
mscoree.dll, xrefs: 00AD4D86

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 56a521915fc4d07a0a4a6fb4c2ff87ae517de720f66173d1c4596b3468e36e6d
Instruction ID: 027358218ceecb5387e08ca42b2aa063829f45bbadf2a0cf2ec0e4fd8cb3da1b
Opcode Fuzzy Hash: 56a521915fc4d07a0a4a6fb4c2ff87ae517de720f66173d1c4596b3468e36e6d
Instruction Fuzzy Hash: CDF04435541208BBDB515F90DC49BADBFF5EF48B52F000099F80AA3260DF315E40CA90

Function 00AB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AB4EAE
FreeLibrary.KERNEL32(00000000,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00AB4EA8
kernel32.dll, xrefs: 00AB4E94

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 017d237ec98e7831853de030ec651b600e01cb414ed646fbcae06375036560f6
Instruction ID: 53ebd14fa6271dbe4e82e5baa909dd7a2436d6e477760c4157c7c49542d661e4
Opcode Fuzzy Hash: 017d237ec98e7831853de030ec651b600e01cb414ed646fbcae06375036560f6
Instruction Fuzzy Hash: D3E0CD39A075225BD37117296C18BDF6DACBF86F627050115FC04F3113DF64CE0185A1

Function 00AB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AB4E74
FreeLibrary.KERNEL32(00000000,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E87

Strings

kernel32.dll, xrefs: 00AB4E5B
Wow64RevertWow64FsRedirection, xrefs: 00AB4E6E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 71adf00e01e6eea8f0e73bceb09bc9ce446e9555cedd489cc20e147952676a6a
Instruction ID: 70d60cbe8098fa7fc33d737fa9d79a76f54a90636dad25ac6163d00808f71973
Opcode Fuzzy Hash: 71adf00e01e6eea8f0e73bceb09bc9ce446e9555cedd489cc20e147952676a6a
Instruction Fuzzy Hash: 08D01239503A216756621B256C18ECB6F6CBF8AF513054555F905B3126CF61CF01D5E1

Function 00B22947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B22C05
DeleteFileW.KERNEL32(?), ref: 00B22C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B22C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B22CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B22CC0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 8faa677aa2e0f21bd61b238ccae9afc1a3c97f2d0d6c07673aafa36a8a1e7cec
Instruction ID: 320846755b1f7f07ac7ebcdf932417157cf42930ce2c33b445d0729a460c66d9
Opcode Fuzzy Hash: 8faa677aa2e0f21bd61b238ccae9afc1a3c97f2d0d6c07673aafa36a8a1e7cec
Instruction Fuzzy Hash: 8DB15F71D00129ABDF21EFA4DD85EEEBBBDEF49350F1040A6F509E7251EA309A448F61

Function 00B3A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00B3A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B3A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B3A468
CloseHandle.KERNEL32(?), ref: 00B3A63D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: c0c8dd413a1256889e416836d68b7215dd5508126fcac3f2f89b0de1348ef961
Instruction ID: 11072e8ce147ab8cab52e2e8f3edd0d8e6ace339c815b5fa4afc74a33bfcb222
Opcode Fuzzy Hash: c0c8dd413a1256889e416836d68b7215dd5508126fcac3f2f89b0de1348ef961
Instruction Fuzzy Hash: 15A17F71604301AFD724DF24C986F2AB7E5AF84714F24885DF59A9B392DBB0EC418B92

Function 00B1E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B1CF22,?), ref: 00B1DDFD

Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B1CF22,?), ref: 00B1DE16

Part of subcall function 00B1E199: GetFileAttributesW.KERNEL32(?,00B1CF95), ref: 00B1E19A

lstrcmpiW.KERNEL32(?,?), ref: 00B1E473
MoveFileW.KERNEL32(?,?), ref: 00B1E4AC
_wcslen.LIBCMT ref: 00B1E5EB
_wcslen.LIBCMT ref: 00B1E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B1E650

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: aa1479815e09dd1f128df9503f18ddb82c7d45c3d396cc61dfbed362671a8771
Instruction ID: fbbe6445221b2711924fece1dbe08490f0b58885cd833eed6c14ebe6afef491d
Opcode Fuzzy Hash: aa1479815e09dd1f128df9503f18ddb82c7d45c3d396cc61dfbed362671a8771
Instruction Fuzzy Hash: 095180B24083459BC724DBA0DC819DF77ECEF85340F40496EFA99D3151EE74E6888766

Function 00B3B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B3BB63
RegCloseKey.ADVAPI32(?,?), ref: 00B3BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00B3BBB3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9414acc169790f3811b991c8da77f0fac5b38ccd3a1727146975758be8d050ad
Instruction ID: 471ae1a0d9bd646edada2e4ef330597bd5b356cfca31602452ae8681998781d4
Opcode Fuzzy Hash: 9414acc169790f3811b991c8da77f0fac5b38ccd3a1727146975758be8d050ad
Instruction Fuzzy Hash: 1F619031208241AFD314DF14C491E6ABBE9FF84308F24859DF59A8B2A2DF31ED45CB92

Function 00B18BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B18BCD
VariantClear.OLEAUT32 ref: 00B18C3E
VariantClear.OLEAUT32 ref: 00B18C9D
VariantClear.OLEAUT32(?), ref: 00B18D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B18D3B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 31675d710da3feaeafdb466b02288c29efa06925c392b5c0b23666490d01dbfe
Instruction ID: ac3ca75ff42eca7271eb7728d8d5b16ee80822a46889dc7b9c8e1f1860a6f74a
Opcode Fuzzy Hash: 31675d710da3feaeafdb466b02288c29efa06925c392b5c0b23666490d01dbfe
Instruction Fuzzy Hash: BD516CB5A00219EFCB10CF68D894AAAB7F5FF89310B158569F905DB350EB30E911CF90

Function 00B28AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B28BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B28BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B28C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B28C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B28C5F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 17ad4c7daa61c17855a9c3d18d6c15b1762afce6168c75a1c74324a6e8a9b189
Instruction ID: 325b42dc024b65bf3bea97e24e7cae9c227df01f3be4e7c090baa8c11d392a47
Opcode Fuzzy Hash: 17ad4c7daa61c17855a9c3d18d6c15b1762afce6168c75a1c74324a6e8a9b189
Instruction Fuzzy Hash: E1516F35A002149FCB11DF64C981EADBBF5FF49314F088498E84AAB362CB75ED41DBA0

Function 00B38EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B38F40
GetProcAddress.KERNEL32(00000000,?), ref: 00B38FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B38FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00B39032
FreeLibrary.KERNEL32(00000000), ref: 00B39052

Part of subcall function 00ACF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B21043,?,753CE610), ref: 00ACF6E6
Part of subcall function 00ACF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B0FA64,00000000,00000000,?,?,00B21043,?,753CE610,?,00B0FA64), ref: 00ACF70D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: fc6dc12a60cbb472c9fb9282a89eca47496085fc564e97465717d8d0400d8e51
Instruction ID: bb717dcdc3f830215a4a71bbb50d9f880ba591ad4bf6efbec88e394a336713f1
Opcode Fuzzy Hash: fc6dc12a60cbb472c9fb9282a89eca47496085fc564e97465717d8d0400d8e51
Instruction Fuzzy Hash: A2514838605205DFCB15DF68C5848ADBBF5FF49314F1481A8E80AAB362DB71ED86CB91

Function 00B46B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B46C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00B46C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B46C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B2AB79,00000000,00000000), ref: 00B46C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B46CC7

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 68721b652190dc860e7d05aca8115457ca604720e49e612cfe472d60f35c434b
Instruction ID: e7252b4c071ad75085fd5085cf9864c53dcb3c337a02f96f83581c2357d87ccf
Opcode Fuzzy Hash: 68721b652190dc860e7d05aca8115457ca604720e49e612cfe472d60f35c434b
Instruction Fuzzy Hash: 0941B335A04104AFD724CF68CC95FA97BE5EB0B350F1502A8F895A72E2C771AF41EA41

Function 00AE2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AE20C3
_free.LIBCMT ref: 00AE20E3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e9f02c006c75732142b6dd88c7b040afceffed1783e0bcce27bba60b1e734218
Instruction ID: faafe580994150cdc59fde5b36e692fe9ccd66ff44dd03a38db2efc08c63444d
Opcode Fuzzy Hash: e9f02c006c75732142b6dd88c7b040afceffed1783e0bcce27bba60b1e734218
Instruction Fuzzy Hash: C141D232A002449FCB24DF79C981B5DB7B9EF89314F15456DE515EB392DA31AE01CB80

Function 00AC912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AC9141
ScreenToClient.USER32(00000000,?), ref: 00AC915E
GetAsyncKeyState.USER32(00000001), ref: 00AC9183
GetAsyncKeyState.USER32(00000002), ref: 00AC919D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: aa6141782fba79caaad61fb6afb8b150ba27fa2e3df25130646b2037769fea11
Instruction ID: 0456e9656025a730c14e12f7756c42590fc34c75fed46584f337eaa001ab3764
Opcode Fuzzy Hash: aa6141782fba79caaad61fb6afb8b150ba27fa2e3df25130646b2037769fea11
Instruction Fuzzy Hash: 27416031A0850AFBDF559F64C849BEEFBB4FB05320F258359E429A72D0CB306A50DB91

Function 00B23874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B23922
TranslateMessage.USER32(?), ref: 00B2394B
DispatchMessageW.USER32(?), ref: 00B23955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B23966

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 46c42f4189da5e91f8c2e8a4f76d3b9a96d615772be63a86501d26ffb6f5b41e
Instruction ID: 2c94995762687137eb3635c898285967d2fa23a8e96073b0d808e619850955c8
Opcode Fuzzy Hash: 46c42f4189da5e91f8c2e8a4f76d3b9a96d615772be63a86501d26ffb6f5b41e
Instruction Fuzzy Hash: 9A31B9705053619EEB35CB34E849BB63BE8EB16B04F04099DE45BC71A0DBBC9AC5CB21

Function 00B2CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00B2CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CFF2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 59508d998062b4e6cc279ecac4f2a919e4b35fd60b58e55698c309da77c5f3c4
Instruction ID: 60bdac37ab36d7b65656e288a0ec005c4afff68bea82b5d15a7060ce42e6e70e
Opcode Fuzzy Hash: 59508d998062b4e6cc279ecac4f2a919e4b35fd60b58e55698c309da77c5f3c4
Instruction Fuzzy Hash: 28319C71500215EFDB20DFA5EA84AAFBFF9FB14350B1040AEF10AD3140DB30AE489B60

Function 00B11901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B11915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00B119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B119E2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 83004992f4533685b108cae9dca59578f67e71c8e6d768ad52c98ba84d402099
Instruction ID: 4fe1c136702f7a26bfe819a8b69eb77799205cf1c28c97df7dbb8e8ad16c4f1e
Opcode Fuzzy Hash: 83004992f4533685b108cae9dca59578f67e71c8e6d768ad52c98ba84d402099
Instruction Fuzzy Hash: 8F31E071A00219EFCB00CFACCD98ADE3BB5FB05314F108669FA21A72D0C7709A85CB90

Function 00B45706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B45745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B4579D
_wcslen.LIBCMT ref: 00B457AF
_wcslen.LIBCMT ref: 00B457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B45816

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e11d3d05fba968b1bd4d0184dac6b7170dbc132b6983347aeaef036753ad0e20
Instruction ID: 48cef18e73fb54087a3784c8c692adef9e87ac6fbc98966a10d30e40a20dc0e5
Opcode Fuzzy Hash: e11d3d05fba968b1bd4d0184dac6b7170dbc132b6983347aeaef036753ad0e20
Instruction Fuzzy Hash: 2721C370904A189BDB308F60CC85AED7BF8FF04720F108296E929EB281D7708B85DF50

Function 00B30930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B30951
GetForegroundWindow.USER32 ref: 00B30968
GetDC.USER32(00000000), ref: 00B309A4
GetPixel.GDI32(00000000,?,00000003), ref: 00B309B0
ReleaseDC.USER32(00000000,00000003), ref: 00B309E8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0a9cc509d960ffb3c9c3dc6bcf29da17bdb05f93ad54f4cb3dcc01e8afed8fea
Instruction ID: 42a8a7eb13135f10b347a1297e5bd9616e5f81d7ec7ed3db4023a67d67773402
Opcode Fuzzy Hash: 0a9cc509d960ffb3c9c3dc6bcf29da17bdb05f93ad54f4cb3dcc01e8afed8fea
Instruction Fuzzy Hash: 7721A139600214AFD714EF69D984AAEBBF9FF45710F1485A8F84A97362CB70AD04CB50

Function 00AECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00AECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AECDE9

Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AECE0F
_free.LIBCMT ref: 00AECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AECE31

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8bc3faf5249896fa04b58f010253a707cbc8ff9d0d8f2a757cb63670fb31e42e
Instruction ID: 087eb7f2085af075acc93d16ce5f540275b6ad04cad8f8370a5c08559d8179d4
Opcode Fuzzy Hash: 8bc3faf5249896fa04b58f010253a707cbc8ff9d0d8f2a757cb63670fb31e42e
Instruction Fuzzy Hash: 3301DF726022957FA3211BBB6C8CD7B6E6DEEC7FB13150129F905D7201EE618E0282B0

Function 00AC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AC9693
SelectObject.GDI32(?,00000000), ref: 00AC96A2
BeginPath.GDI32(?), ref: 00AC96B9
SelectObject.GDI32(?,00000000), ref: 00AC96E2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: de1568980f85de728d78b6abc3f5bd0ebf6667dd5fec873b355a374b880b05eb
Instruction ID: 8f68706deb1d2ddb4620f676407414e073f598286ce15409fcf0a5f2f8f42f0a
Opcode Fuzzy Hash: de1568980f85de728d78b6abc3f5bd0ebf6667dd5fec873b355a374b880b05eb
Instruction Fuzzy Hash: A3215E30803305EFDB119F68EC18BAA7BB8BB51755F114A5AF410A71F0DB709993CBA4

Function 00B15711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B15726
_memcmp.LIBVCRUNTIME ref: 00B15744
_memcmp.LIBVCRUNTIME ref: 00B15757
_memcmp.LIBVCRUNTIME ref: 00B1576F
_memcmp.LIBVCRUNTIME ref: 00B15787

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bb1e37b5c7b8cf91fd37378e397ef4e49979121b435bc8e6b7e8fb6767ce521c
Instruction ID: 649b9c0d619820deb6f315f5567f48a4d47cd255de36409ac6b298df5f90a44f
Opcode Fuzzy Hash: bb1e37b5c7b8cf91fd37378e397ef4e49979121b435bc8e6b7e8fb6767ce521c
Instruction Fuzzy Hash: 71019675741605FAD26855109E83FFA73ECDBA13A4B804061FD059F282F660EE5096A0

Function 00AE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00ADF2DE,00AE3863,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6), ref: 00AE2DFD
_free.LIBCMT ref: 00AE2E32
_free.LIBCMT ref: 00AE2E59
SetLastError.KERNEL32(00000000,00AB1129), ref: 00AE2E66
SetLastError.KERNEL32(00000000,00AB1129), ref: 00AE2E6F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bb6fc5e427c33dd79167edcdced03c39cc389b3420fc96803e6d0b72a2519d95
Instruction ID: 8491ff2b85323dc0012f43236a01f1664e1338f42b2fd2b3ae0dfe3814e25b32
Opcode Fuzzy Hash: bb6fc5e427c33dd79167edcdced03c39cc389b3420fc96803e6d0b72a2519d95
Instruction Fuzzy Hash: E60128362066906BC61227776D4AF2B2E7DABD27B5F354038F865A32E3EF348C014320

Function 00B1000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?,?,00B1035E), ref: 00B1002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?), ref: 00B10064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10070

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ea70182a6e8b37cbc016bd912902d2a266516487bbe6e627590b0c7804c2d6fc
Instruction ID: 5f84264d0dea060bab6ccaf75408e0467348eba93a3fc9b814c23cff212fcc51
Opcode Fuzzy Hash: ea70182a6e8b37cbc016bd912902d2a266516487bbe6e627590b0c7804c2d6fc
Instruction Fuzzy Hash: 89018F7A611218BFDB515F68DC48BEA7FEDEB48B91F144164F905D3210EBB1DE808BA0

Function 00B1E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B1E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00B1E9A5
Sleep.KERNEL32(00000000), ref: 00B1E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00B1E9B7
Sleep.KERNEL32 ref: 00B1E9F3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b24c9adb896dc8d9bb96df5583f07de14e943fae991a7716248a1b80841f56fb
Instruction ID: f1cdeabddba03b76130102e768b1b8c9604eb81b178e9c89746fbd27f24a3638
Opcode Fuzzy Hash: b24c9adb896dc8d9bb96df5583f07de14e943fae991a7716248a1b80841f56fb
Instruction Fuzzy Hash: 26015B35C0252DDBCF409BE4D849AEDBFB8FB09B00F400586E912B2140DF309690C761

Function 00B110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B11114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B1112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B1114D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f7428654383f0791aba8ef101faecbb3aa4a6e336f63fe84ed36abeab33a1295
Instruction ID: 5e465e244709b741a5dada62e32a87701fdfb9d0fe970539d6aa0e6f94c5923d
Opcode Fuzzy Hash: f7428654383f0791aba8ef101faecbb3aa4a6e336f63fe84ed36abeab33a1295
Instruction Fuzzy Hash: 36016D79101205BFDB514FA9DC49AAA3FAEFF87764B200454FA41D3360DE31DD508A60

Function 00B10FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B10FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B10FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B10FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B10FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B11002

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 59b5abe076b7a210d11eea71b982a35fc82c8eb7e15e17cac0500622fcf580c6
Instruction ID: 3e10310dfa67d6bbe77ef3ab150c5af7ee1e06012b04fb043ad408807c5dfb03
Opcode Fuzzy Hash: 59b5abe076b7a210d11eea71b982a35fc82c8eb7e15e17cac0500622fcf580c6
Instruction Fuzzy Hash: 83F04F39602301ABD7214FA89C4DF963FADFF8AB61F504454FA45D7251CE70DD808A60

Function 00B11014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B1102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B11036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B1104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11062

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 99f7cc35eb21d1845b656e4212cf1f3de69e8cb4e095286b3c053f31355732ee
Instruction ID: c14bfb41bab1497b21d11097af1e1f22a40fe9f7282e17d833111c9914fe0495
Opcode Fuzzy Hash: 99f7cc35eb21d1845b656e4212cf1f3de69e8cb4e095286b3c053f31355732ee
Instruction Fuzzy Hash: FBF04F39602301ABD7215FA9EC4DF963FADFF8AB61F500414FA45D7250CE70D980CA60

Function 00B2030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20324
CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20331
CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B2033E
CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B2034B
CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20358
CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20365

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 110daa32bd344c99afee9af2585a962280f8a20569ac3d163ef321c486747c0b
Instruction ID: dafc285a2cc8428af94cfbdf52ba056c47cabdc7f0f4d2d37881d2a644abac1e
Opcode Fuzzy Hash: 110daa32bd344c99afee9af2585a962280f8a20569ac3d163ef321c486747c0b
Instruction Fuzzy Hash: 8F01A272811B259FC730AF66E880412FBF5FF543153158A7FD19A52932C771A954CF84

Function 00AED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AED752

Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0

_free.LIBCMT ref: 00AED764
_free.LIBCMT ref: 00AED776
_free.LIBCMT ref: 00AED788
_free.LIBCMT ref: 00AED79A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ebb26d7629a4e3902baf9b9c9ba8e54c23a91bee16b29b3242297f88f1631c23
Instruction ID: d5b7dd3a6c1991287971cd2e9d03d9cf31bad7f35cfdc694d0990d5a2a24cf71
Opcode Fuzzy Hash: ebb26d7629a4e3902baf9b9c9ba8e54c23a91bee16b29b3242297f88f1631c23
Instruction Fuzzy Hash: C7F03032544288AB8661FB6AFAC6D1A7BDDBB84710BA51C0DF05CE7502CB34FCC08B64

Function 00B15C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B15C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B15C6F
MessageBeep.USER32(00000000), ref: 00B15C87
KillTimer.USER32(?,0000040A), ref: 00B15CA3
EndDialog.USER32(?,00000001), ref: 00B15CBD

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a9045ce6609e2413c93dcf0860884fd491225be009de745a604f7f88012cbe1c
Instruction ID: bf9f989c45714d20be75a50b122501b61ff63dc466adb482f1884fa623220545
Opcode Fuzzy Hash: a9045ce6609e2413c93dcf0860884fd491225be009de745a604f7f88012cbe1c
Instruction Fuzzy Hash: 74018634501B04EBEB305F10DD4EFE67BF8FB41B05F411599A693A20E1DFF4AA848A90

Function 00AE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AE22BE

Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0

_free.LIBCMT ref: 00AE22D0
_free.LIBCMT ref: 00AE22E3
_free.LIBCMT ref: 00AE22F4
_free.LIBCMT ref: 00AE2305

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fa6485b4ffb0b9230f02cd6653c4ff74a90df7bd8d0185ed4f4699d3d145c84a
Instruction ID: 4e784eaa98fe1a4f70bffa7b6ee8ea931e24f7246ddc0262614cf551a527ffb2
Opcode Fuzzy Hash: fa6485b4ffb0b9230f02cd6653c4ff74a90df7bd8d0185ed4f4699d3d145c84a
Instruction Fuzzy Hash: ECF05EB18111648B8622BF59BD02A583FACFB687A0702590EF524D72B2CF340852EFE5

Function 00AC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AC95D4
StrokeAndFillPath.GDI32(?,?,00B071F7,00000000,?,?,?), ref: 00AC95F0
SelectObject.GDI32(?,00000000), ref: 00AC9603
DeleteObject.GDI32 ref: 00AC9616
StrokePath.GDI32(?), ref: 00AC9631

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 83970f9637d58eb8ff661f6890fc06be884c908b117e4f54beb128c7376b2b49
Instruction ID: 14026db961608856805fc6c1bf6b69a5d5734094739d160afb4248d898d3dfd7
Opcode Fuzzy Hash: 83970f9637d58eb8ff661f6890fc06be884c908b117e4f54beb128c7376b2b49
Instruction Fuzzy Hash: E7F0F234007608EBDB265F69ED1CB653F69BB02722F058618E425661F1CF308A97DF20

Function 00AE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00AE10F9
__freea.LIBCMT ref: 00AE1117

Part of subcall function 00AE1537: _free.LIBCMT ref: 00AE154F

Strings

a/p, xrefs: 00AE11DE
am/pm, xrefs: 00AE117A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e03e62e5ab3b1e2df877c80db69ccde649a03e362aa92927ea5ffa69162c0487
Instruction ID: c092b8da64ac7ac3a1e81ab6d36b29135472b8cd2472d576faeee8c1d713d1ab
Opcode Fuzzy Hash: e03e62e5ab3b1e2df877c80db69ccde649a03e362aa92927ea5ffa69162c0487
Instruction Fuzzy Hash: 23D115719002E6CADB649F6AC895BFEB7B1FF05300F284269EA01AF654D3759D80CB91

Function 00B37B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00AD0242: EnterCriticalSection.KERNEL32(00B8070C,00B81884,?,?,00AC198B,00B82518,?,?,?,00AB12F9,00000000), ref: 00AD024D
Part of subcall function 00AD0242: LeaveCriticalSection.KERNEL32(00B8070C,?,00AC198B,00B82518,?,?,?,00AB12F9,00000000), ref: 00AD028A

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00AD00A3: __onexit.LIBCMT ref: 00AD00A9

__Init_thread_footer.LIBCMT ref: 00B37BFB

Part of subcall function 00AD01F8: EnterCriticalSection.KERNEL32(00B8070C,?,?,00AC8747,00B82514), ref: 00AD0202
Part of subcall function 00AD01F8: LeaveCriticalSection.KERNEL32(00B8070C,?,00AC8747,00B82514), ref: 00AD0235

Strings

Variable must be of type 'Object'., xrefs: 00B37C3A
G, xrefs: 00B37C7F
5, xrefs: 00B37C78

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: eadbd13c2163fcc09d50cf9241465160f97125360f5431222c87e6f0640769a2
Instruction ID: 2edaa5bedcc7a45369970e32bf71014c5cd00f0cfb02e1c943161f860950d215
Opcode Fuzzy Hash: eadbd13c2163fcc09d50cf9241465160f97125360f5431222c87e6f0640769a2
Instruction Fuzzy Hash: EB918CB4A44209EFCB24EF94D991DADB7F5FF45700F608099F8069B2A2DB31AE41CB51

Function 00B12716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B121D0,?,?,00000034,00000800,?,00000034), ref: 00B1B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B12760

Part of subcall function 00B1B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B1B3F8

Part of subcall function 00B1B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B1B355
Part of subcall function 00B1B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B12194,00000034,?,?,00001004,00000000,00000000), ref: 00B1B365
Part of subcall function 00B1B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B12194,00000034,?,?,00001004,00000000,00000000), ref: 00B1B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B1281A

Strings

@, xrefs: 00B12832

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fff786aa21fe5511e7e9045b9fde79bf28d6d6f5a636469d0ea8d1322498f1c5
Instruction ID: 00ff54255e2a4d97f534145060c828a5e718088ec0c3acf67d870e7ed7f246b9
Opcode Fuzzy Hash: fff786aa21fe5511e7e9045b9fde79bf28d6d6f5a636469d0ea8d1322498f1c5
Instruction Fuzzy Hash: 9E414C76900218AFDB10DFA4CD81EEEBBB8EF09700F408095FA55B7181DB706E85CBA0

Function 00AE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00AE1769
_free.LIBCMT ref: 00AE1834
_free.LIBCMT ref: 00AE183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00AE1760, 00AE1767, 00AE1796, 00AE17CE

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: cb19aa301ca0ef44e09d49c0244818dda640fb84b0802eb191da6cae8f34dc6c
Instruction ID: 095a78ca77637a22771325a4fc5171d12c19720b60c9efe306b11507e9faa6e4
Opcode Fuzzy Hash: cb19aa301ca0ef44e09d49c0244818dda640fb84b0802eb191da6cae8f34dc6c
Instruction Fuzzy Hash: F931A171A012A8EFDB21DF9ADD81D9EBBFCEF85710B1041AAF805D7211DA708E41CB90

Function 00B1C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B1C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00B1C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B81990,01125878), ref: 00B1C395

Strings

0, xrefs: 00B1C2DF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 44d0afc95a90c1a00b122fb84b14ef88e174d1c519dcf5b2e800c22c21e2d8a5
Instruction ID: be2305150d93d3618c41856d193f17b43eba44cccfb9b380b71b8f088b353a36
Opcode Fuzzy Hash: 44d0afc95a90c1a00b122fb84b14ef88e174d1c519dcf5b2e800c22c21e2d8a5
Instruction Fuzzy Hash: 9041C1312443019FD720DF24E885B9ABFE8EF85310F50869EF9A5972D2C730E944CB5A

Function 00B44416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B4CC08,00000000,?,?,?,?), ref: 00B444AA
GetWindowLongW.USER32 ref: 00B444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B444D7

Strings

SysTreeView32, xrefs: 00B4447C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: db98caa7579c16d402068abd705067a4980ace07aafadec759dfbe37a6d9c7a2
Instruction ID: 8ee6f8ec80f60e966c035a73549e4199f64c370a842b72b6f170af6d64aecfd2
Opcode Fuzzy Hash: db98caa7579c16d402068abd705067a4980ace07aafadec759dfbe37a6d9c7a2
Instruction Fuzzy Hash: AD31AF31200205AFDF208E38DC45BDA7BA9EB19334F208715F979932E1DB70ED60A750

Function 00B3304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B33077,?,?), ref: 00B33378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B3307A
_wcslen.LIBCMT ref: 00B3309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00B33106

Strings

255.255.255.255, xrefs: 00B33095, 00B3309A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 231e1f5dfe7db3d1fd50fa8afe6a977e58e97e3a6a50c008c09b374220189f8c
Instruction ID: cce07b10356463837895356e31491ae69df9352dd240ea8fb1c858cd5300c624
Opcode Fuzzy Hash: 231e1f5dfe7db3d1fd50fa8afe6a977e58e97e3a6a50c008c09b374220189f8c
Instruction Fuzzy Hash: B431B0396042019FCB24CF68C585FAB7BE0EF14718F348099E9169B3A2DB32EE45C760

Function 00B43EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B43F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B43F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B43F78

Strings

SysMonthCal32, xrefs: 00B43F0B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 590c6c2bbbdd1d37d55fe9e8f139d1cd99bfc6022ee4829613f364b3b923600b
Instruction ID: f2ed93014ca25514f4d14d475442b018cd34a2ebc6423b64987122a377384771
Opcode Fuzzy Hash: 590c6c2bbbdd1d37d55fe9e8f139d1cd99bfc6022ee4829613f364b3b923600b
Instruction Fuzzy Hash: 3B21BF32600219BBDF118F90CC46FEA3BB9EF48B14F150254FE156B1D0DAB1AA54DB90

Function 00B44653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B44705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B44713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B4471A

Strings

msctls_updown32, xrefs: 00B44684

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 0496fd8310f1ccab373e73696a265c5d483c69a5dd772e08a9d869ed92ff8d07
Instruction ID: 682a99dbecf397f5051b6f01ec5d2a53afb5acef0cf61e8cf17ef058bab1fe1f
Opcode Fuzzy Hash: 0496fd8310f1ccab373e73696a265c5d483c69a5dd772e08a9d869ed92ff8d07
Instruction Fuzzy Hash: AE214CB5601209AFDB10DF68DC81DB637EDEB5A3A4B050499FA149B361CB30ED22DB60

Function 00B195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B1961D

Strings

#OnAutoItStartRegister, xrefs: 00B195F3
#notrayicon, xrefs: 00B195B7
#requireadmin, xrefs: 00B195D9

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0c87e755e1651fd4995728f093f93d755173150841bd07edbec2f89f395d3f68
Instruction ID: 618b28922f9397318f250575495ed5f0427d4af644d190491bb1fec2d86f0e34
Opcode Fuzzy Hash: 0c87e755e1651fd4995728f093f93d755173150841bd07edbec2f89f395d3f68
Instruction Fuzzy Hash: A021383210429166D331AB249D62FFB73DDEFA2300F904066F95AA7142EB95ADC1D2A5

Function 00B437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B43840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B43850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B43876

Strings

Listbox, xrefs: 00B4380F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9636d3f2d0dc8bdabaa767504559fcb4fc30e576adb415319367a4da44fe1ef3
Instruction ID: 5c66296ad1f5d86c42130d4426b97107d7d5a81cbfcdf29417443105e949252e
Opcode Fuzzy Hash: 9636d3f2d0dc8bdabaa767504559fcb4fc30e576adb415319367a4da44fe1ef3
Instruction Fuzzy Hash: 7621D472600118BBEF118F54CC81FBB3BEEEF89B50F148154F9449B190CA71DE5297A0

Function 00B249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B24A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B24A5C
SetErrorMode.KERNEL32(00000000,?,?,00B4CC08), ref: 00B24AD0

Strings

%lu, xrefs: 00B24A6F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 527a0a646a409fdd237f731344478bef7e836de8bdf22e09d3fa44a7b3aaa431
Instruction ID: ef3e1ac42cd677ed683d89904133f6c2a4413189b11a482983498aa963a149ca
Opcode Fuzzy Hash: 527a0a646a409fdd237f731344478bef7e836de8bdf22e09d3fa44a7b3aaa431
Instruction Fuzzy Hash: 4A316275A00119AFDB10DF54C985EAE7BF8EF09308F1480A9F909DB262DB71EE45CB61

Function 00B441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B4424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B44264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B44271

Strings

msctls_trackbar32, xrefs: 00B44226

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 78b5c4aa044005056e7d24b226a39202d6662b80f26b3e119b98721df45df2b8
Instruction ID: b23e7df56e22950e04573a706885e3936338b5333e29675423fd592eebd809db
Opcode Fuzzy Hash: 78b5c4aa044005056e7d24b226a39202d6662b80f26b3e119b98721df45df2b8
Instruction Fuzzy Hash: 1B11E331250208BEEF205E29CC06FAB3BECEF95B54F014524FA55E60A0D6B1DC21AB10

Function 00B12F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A

Part of subcall function 00B12DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B12DC5
Part of subcall function 00B12DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B12DD6
Part of subcall function 00B12DA7: GetCurrentThreadId.KERNEL32 ref: 00B12DDD
Part of subcall function 00B12DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B12DE4

GetFocus.USER32 ref: 00B12F78

Part of subcall function 00B12DEE: GetParent.USER32(00000000), ref: 00B12DF9

GetClassNameW.USER32(?,?,00000100), ref: 00B12FC3
EnumChildWindows.USER32(?,00B1303B), ref: 00B12FEB

Strings

%s%d, xrefs: 00B12FFF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 4c97085ee1a57384d243d59825fc190ba43a30b8d52531559053fb6c2f2e9683
Instruction ID: 8c081fcd4fdf696d6d9a571c8cfb8733bc7983c01a3c5a9289bab71efbd1e70a
Opcode Fuzzy Hash: 4c97085ee1a57384d243d59825fc190ba43a30b8d52531559053fb6c2f2e9683
Instruction Fuzzy Hash: 4411C0752002056BDF556F60DC99FED37EAAF88704F4480B5B9099B152EE309A858B70

Function 00B45882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B458EE
DrawMenuBar.USER32(?), ref: 00B458FD

Strings

0, xrefs: 00B4588F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: e372bb68ae2a87e044366fd9f7f5421d5c8de2abca82dd53094d7ff83f8dd834
Instruction ID: 8fd58a88f3ebabfe09fc27157a84ebd09633947603c53f2d81508a2953381790
Opcode Fuzzy Hash: e372bb68ae2a87e044366fd9f7f5421d5c8de2abca82dd53094d7ff83f8dd834
Instruction Fuzzy Hash: 55016D31501618EFDB619F11DC85BAEBBB5FB45760F1080D9E849DA252DB308B84EF31

Function 00B1007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4682f6f39e84e239b6a2b53a5486de3449a39612ecb3fb66099d2d6dbd3a902
Instruction ID: 5820dcb877ba0103961f5373c366c962c62556d0b320c26d1d841eb350bceca2
Opcode Fuzzy Hash: b4682f6f39e84e239b6a2b53a5486de3449a39612ecb3fb66099d2d6dbd3a902
Instruction Fuzzy Hash: ECC16875A1020AEFCB14DFA4C898AAEB7B5FF48704F608598E515EB251C770EEC1CB90

Function 00AE3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00AE3F0B
__alldvrm.LIBCMT ref: 00AE410C
__alldvrm.LIBCMT ref: 00AE412E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 80773fc32ffb3e1dcf2e349734e610354eaca6776437125c2ccabea395641031
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 26A12672D003C69FEB25CF5AC8917AEBBF9EF69350F1442ADE5859B281C2388D41C750

Function 00B3342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B33459
CoUninitialize.OLE32 ref: 00B33463
VariantInit.OLEAUT32(?), ref: 00B3346E
VariantClear.OLEAUT32(?), ref: 00B3371B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e220749af8402d20ceff7107b8cfdbca62faac2f077e4455aa1c52093384dc1c
Instruction ID: 6840ce9685688a1d0acb0895ca5a7a31902fd707c6d6f175b0eb8e1734d923f9
Opcode Fuzzy Hash: e220749af8402d20ceff7107b8cfdbca62faac2f077e4455aa1c52093384dc1c
Instruction Fuzzy Hash: 28A139756043009FC710DF28C586A6AB7E9FF88714F158999F98A9B362DB70EE01CB91

Function 00B10436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B4FC08,?), ref: 00B105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B4FC08,?), ref: 00B10608
CLSIDFromProgID.OLE32(?,?,00000000,00B4CC40,000000FF,?,00000000,00000800,00000000,?,00B4FC08,?), ref: 00B1062D
_memcmp.LIBVCRUNTIME ref: 00B1064E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: abe7b01e6df3088ce27989d330b55ad2649e90f4493a321e0ea2ae88ec830bfc
Instruction ID: 359f1a14c99a76995eef2787fe626763815e32aae7f9fd3bd1bb28299e38b6f9
Opcode Fuzzy Hash: abe7b01e6df3088ce27989d330b55ad2649e90f4493a321e0ea2ae88ec830bfc
Instruction Fuzzy Hash: 94811B75A10109EFCB04DF94C984EEEB7F9FF89315F204598E506AB250DB71AE86CB60

Function 00B3A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B3A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00B3A6BA

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00B3A79C
CloseHandle.KERNEL32(00000000), ref: 00B3A7AB

Part of subcall function 00ACCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AF3303,?), ref: 00ACCE8A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f08e61df0d1f63e7fbc1be843bce941b2060774b90e62d54466c524fd3505613
Instruction ID: 44587f89dbedee93d45103cfb6759290286380fe35c72b7bf164c8b1d5f92be2
Opcode Fuzzy Hash: f08e61df0d1f63e7fbc1be843bce941b2060774b90e62d54466c524fd3505613
Instruction Fuzzy Hash: 20514D75508300AFD710EF24C986EABBBE8FF89754F50495DF58997252EB30D904CB92

Function 00AF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AF14C0

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bf7875a7d6f60f401c02425e6455d743cfa6ba7de6f934259b3fd9de78b00a0f
Instruction ID: f9795f071ea85aed73b80d782c52a689e91049754e3cb93d57ab9572cc89473b
Opcode Fuzzy Hash: bf7875a7d6f60f401c02425e6455d743cfa6ba7de6f934259b3fd9de78b00a0f
Instruction Fuzzy Hash: F7414D75A0020CEBDB216BFE9D456BF3AB4EF81771F144226FA1AD7292E634484152B1

Function 00B46278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B462E2
ScreenToClient.USER32(?,?), ref: 00B46315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B46382

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 45b8fef7e43787bdc926b0bfe897319e2788f2471306cbf9b7e058c055d2cebf
Instruction ID: 96309c4ea415c42bd5f8db2db8cffda72e0119a1e13d735e97d8bc94bbe3806d
Opcode Fuzzy Hash: 45b8fef7e43787bdc926b0bfe897319e2788f2471306cbf9b7e058c055d2cebf
Instruction Fuzzy Hash: A9513C74A01249AFCF14DF68D8809AE7BF5FB46364F108599F8159B2A0D730EE41DB51

Function 00B31AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B31AFD
WSAGetLastError.WSOCK32 ref: 00B31B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B31B8A
WSAGetLastError.WSOCK32 ref: 00B31B94

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 71c0d50beff4da0533ab93a564b5633cd3b41b8d2a3445daa2d7e5fb157e51b4
Instruction ID: 052880c49774b8b51ac08faccfcf60b7fe4edf6487c7bd7aec7278276e07aff3
Opcode Fuzzy Hash: 71c0d50beff4da0533ab93a564b5633cd3b41b8d2a3445daa2d7e5fb157e51b4
Instruction Fuzzy Hash: CF41A234600200AFE720AF24C986F6A77E9EB44718F54849CF91A9F7D3E772DD418B91

Function 00AEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181df27bc4160b02e470e49f0944c29593792b53b011c08a7e9cbea9892d63f1
Instruction ID: 911d1d48c22658c089ea3f4cd291731d2de98cd6108aebb59ac1b2e95f55872f
Opcode Fuzzy Hash: 181df27bc4160b02e470e49f0944c29593792b53b011c08a7e9cbea9892d63f1
Instruction Fuzzy Hash: 63412971A10344BFD7249F79CD45BABBBE9EB84710F10852EF512DB2C1D371990187A0

Function 00B256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B25783
GetLastError.KERNEL32(?,00000000), ref: 00B257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B257FA

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 02204a356860b1a7bf7d916f1e98c89fb104eef4c0f13c5c0a851ff13463ad5b
Instruction ID: aa3978bb65242331e8d623d5ec21fd1ca017bda87d40fa1ceaa3c045802027e1
Opcode Fuzzy Hash: 02204a356860b1a7bf7d916f1e98c89fb104eef4c0f13c5c0a851ff13463ad5b
Instruction Fuzzy Hash: 5E410B39600610DFCB21DF15C545A5EBBE6EF89720B19C488E84AAB362CB74FD40DB91

Function 00AED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00AD6D71,00000000,00000000,00AD82D9,?,00AD82D9,?,00000001,00AD6D71,8BE85006,00000001,00AD82D9,00AD82D9), ref: 00AED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AED9AB
__freea.LIBCMT ref: 00AED9B4

Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b7e67ba812ba5dc40cba14c5232180a77a174166b1a3c5278a43c5262f9281f8
Instruction ID: a355525aec8c5ac5aef929398367436712c8bcd230ae6cc999399a9e9020060e
Opcode Fuzzy Hash: b7e67ba812ba5dc40cba14c5232180a77a174166b1a3c5278a43c5262f9281f8
Instruction Fuzzy Hash: D431CD72A0024AABDF24DF66DC45EAE7BA5EB41710F054169FC05DB252EB35CD50CBA0

Function 00B452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00B45352
GetWindowLongW.USER32(?,000000F0), ref: 00B45375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B45382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B453A8

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 45c0ee4b2ae6296d785ae000028ab9575cbc4bbb5fd5714dcaea63768ae413bb
Instruction ID: f1384e16077f9cea2cf7d2424ac5e7e542c9c4d90066bc4a357efb5dee069b14
Opcode Fuzzy Hash: 45c0ee4b2ae6296d785ae000028ab9575cbc4bbb5fd5714dcaea63768ae413bb
Instruction Fuzzy Hash: EF316D35A56E0CAFEB309E14CC45BE977E5EB05390F584181BA12961E2C7B49F40FB4A

Function 00B1AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B1ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B1AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B1AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B1ACC6

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f1e6f56a7eae088041729b9b5fcc732cc9366c6262924af0ca8686e5e99a6c1a
Instruction ID: e685e1866c8a6cc13494457a1ac319144198de8dd8386f81628f31e1007b9aec
Opcode Fuzzy Hash: f1e6f56a7eae088041729b9b5fcc732cc9366c6262924af0ca8686e5e99a6c1a
Instruction Fuzzy Hash: 0B312630A01318AFEF35CB658C047FA7BE5EB89710F84429AE485932D1D375AAC587D2

Function 00B47674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B4769A
GetWindowRect.USER32(?,?), ref: 00B47710
PtInRect.USER32(?,?,00B48B89), ref: 00B47720
MessageBeep.USER32(00000000), ref: 00B4778C

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ddf66a236ea5ac8cc2b55501aec3c615f12e2f12d3659433d0dc23ec4a842170
Instruction ID: c12b53241ea99846778e2cf82bb2e1cd2abb0f698267ac833abec89fd78cec62
Opcode Fuzzy Hash: ddf66a236ea5ac8cc2b55501aec3c615f12e2f12d3659433d0dc23ec4a842170
Instruction Fuzzy Hash: B9418D38646214DFCB12CF58C894EA97BF9FF49714F5584E8E4249B261CB30AE42DF90

Function 00B416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B416EB

Part of subcall function 00B13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B13A57
Part of subcall function 00B13A3D: GetCurrentThreadId.KERNEL32 ref: 00B13A5E
Part of subcall function 00B13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B125B3), ref: 00B13A65

GetCaretPos.USER32(?), ref: 00B416FF
ClientToScreen.USER32(00000000,?), ref: 00B4174C
GetForegroundWindow.USER32 ref: 00B41752

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 26786cdf143f8b560ef55ba453fae4ff9b0be13759ae166e238dc520c3be3b6b
Instruction ID: de38a227eb9e4795ad5b8a48b36712d3475e5982b74760b35b0b544e80c83b7a
Opcode Fuzzy Hash: 26786cdf143f8b560ef55ba453fae4ff9b0be13759ae166e238dc520c3be3b6b
Instruction Fuzzy Hash: FB311075D00249AFC700EFA9C981DEEBBFDEF49304B5444A9E415E7212D6359E45CBA0

Function 00B48FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2

GetCursorPos.USER32(?), ref: 00B49001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B07711,?,?,?,?,?), ref: 00B49016
GetCursorPos.USER32(?), ref: 00B4905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B07711,?,?,?), ref: 00B49094

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 001edfd6ae8fcaca020abfc2301dfd5a268d1961c3838ed410f1fabdd4e65a42
Instruction ID: b368abf7d95338993d41a792df2ab669625c29f677fd9150ce6831b933e427aa
Opcode Fuzzy Hash: 001edfd6ae8fcaca020abfc2301dfd5a268d1961c3838ed410f1fabdd4e65a42
Instruction Fuzzy Hash: 0E21AD35601018AFDF25CF98C859EFB3BF9FB4A750F004099F90547261CB319A51EB60

Function 00B1D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B4CB68), ref: 00B1D2FB
GetLastError.KERNEL32 ref: 00B1D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B1D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B4CB68), ref: 00B1D376

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 49bed3a02c24552d8762bc53d15d515192c23178faeb67e9838cc3b4309ec9fb
Instruction ID: 8120eeb03bc17ebf36f3526bb2a6b7e545eb5d645d5737fa80499b06bfdedfd4
Opcode Fuzzy Hash: 49bed3a02c24552d8762bc53d15d515192c23178faeb67e9838cc3b4309ec9fb
Instruction Fuzzy Hash: 6521D3705052019F8700DF28D8814EB7BE8FE56724FA04A5DF4A9C32A2DB30DA86CB97

Function 00B11571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B1102A
Part of subcall function 00B11014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B11036
Part of subcall function 00B11014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11045
Part of subcall function 00B11014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B1104C
Part of subcall function 00B11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B115BE
_memcmp.LIBVCRUNTIME ref: 00B115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B11617
HeapFree.KERNEL32(00000000), ref: 00B1161E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9d3e9e2e8a1bceeab06d95a0eaa41c2080bc7113f81abe03445b4d5243c8fc0a
Instruction ID: 295589b9abc4920b6ad8c5466bd8bcdb44f9793aaea0101b85acc063a154db7e
Opcode Fuzzy Hash: 9d3e9e2e8a1bceeab06d95a0eaa41c2080bc7113f81abe03445b4d5243c8fc0a
Instruction Fuzzy Hash: 0C218C31E01108EFDF00DFA8C945BEEB7F9EF84344F584899E541AB241E731AA85CBA0

Function 00B42782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B4280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B42824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B42832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B42840

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ccaf35c424f2a558382a00e2f528edd9fbc428a860fbb40fef7f4727d87b37d4
Instruction ID: c1bdf3778ab7f1bedd0858bc1e707ac259578037e027872ca15091bb12dd5ac3
Opcode Fuzzy Hash: ccaf35c424f2a558382a00e2f528edd9fbc428a860fbb40fef7f4727d87b37d4
Instruction Fuzzy Hash: 7621D335205111AFD7149B24C845FAA7B99FF46324F148298F8268B6E2CB71FE42EB91

Function 00B178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B18D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B1790A,?,000000FF,?,00B18754,00000000,?,0000001C,?,?), ref: 00B18D8C
Part of subcall function 00B18D7D: lstrcpyW.KERNEL32(00000000,?,?,00B1790A,?,000000FF,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B18DB2
Part of subcall function 00B18D7D: lstrcmpiW.KERNEL32(00000000,?,00B1790A,?,000000FF,?,00B18754,00000000,?,0000001C,?,?), ref: 00B18DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B17923
lstrcpyW.KERNEL32(00000000,?,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B17949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B17984

Strings

cdecl, xrefs: 00B1797B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7f0d1ad6ca401284212de90409bf48aecdb1dc9f79e1ac5b1cbb8ac4fbb59586
Instruction ID: 0d6c2b72209c60a69eb7723f42a93f7d3ccda747981c0285efc4d26c0e2c805d
Opcode Fuzzy Hash: 7f0d1ad6ca401284212de90409bf48aecdb1dc9f79e1ac5b1cbb8ac4fbb59586
Instruction Fuzzy Hash: 3711E13A200302ABCB159F34D844EBA77F9FF85790B90806AF906C72A4EF319941C7A1

Function 00B47CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00B47D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B47D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B47D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B2B7AD,00000000), ref: 00B47D6B

Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e8840548c4f5abb05468e06648cb8c52d74874a9e06f7737dd66551f7f70eefc
Instruction ID: 030dead9d8050a57359b709366e864b7554bbe6fa1ec4a05093fa5061d377236
Opcode Fuzzy Hash: e8840548c4f5abb05468e06648cb8c52d74874a9e06f7737dd66551f7f70eefc
Instruction Fuzzy Hash: 1F11C071655614AFCB109F28CC04AAA3BE9FF46360B118764F839D72F0DB308A11DB40

Function 00B45660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00B456BB
_wcslen.LIBCMT ref: 00B456CD
_wcslen.LIBCMT ref: 00B456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B45816

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: fc365bf4305bf7b6edc919f4f024ec972fc5d27b84124f5ff59185d2e74a65a8
Instruction ID: fa857321c5a0b761f29beb680aa43d0e9170cfb5d216be260af13418ae7e4887
Opcode Fuzzy Hash: fc365bf4305bf7b6edc919f4f024ec972fc5d27b84124f5ff59185d2e74a65a8
Instruction Fuzzy Hash: 1B11D375600A18A7DB309F65CCC5AEE77FCEF11760B1040A6F915DA182EB70DB84DB60

Function 00AE1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba2e06a310e3342f821fb09de285d871c88af4ef24d92a9235cbd9b11a5cece
Instruction ID: c1f75f54030f2649dfb539f9cffd071bcb1c4872677b54b89f0a2bffe8de0dd5
Opcode Fuzzy Hash: eba2e06a310e3342f821fb09de285d871c88af4ef24d92a9235cbd9b11a5cece
Instruction Fuzzy Hash: 1101D6B22096AA3EF651277A6CC1F27666CEF817B8F310325F521621D2DF718C004270

Function 00B11A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B11A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B11A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B11A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B11A8A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6ae4661400afc571c94a4ee76e1864739ee95b8e2eb3608cdcfbf5efa0018af3
Instruction ID: 868e1fd2af9486f30a92447f4f6d6cfbccbcfc99c31442e9bb42b5f4eac65e5d
Opcode Fuzzy Hash: 6ae4661400afc571c94a4ee76e1864739ee95b8e2eb3608cdcfbf5efa0018af3
Instruction Fuzzy Hash: B311273A901219FFEB109BA8C985FEDBBB8EF08750F200491EA10B7294D6716E50DB94

Function 00B1E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B1E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00B1E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B1E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B1E24D

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 6a30d8bc541a43d816687df36f20ae94c6725d131db21b6fe6ded9bd35b4f9a7
Instruction ID: 05325aa754b957c5cd860327d6bdf03b5b71601c905551b635a04585fe9a8322
Opcode Fuzzy Hash: 6a30d8bc541a43d816687df36f20ae94c6725d131db21b6fe6ded9bd35b4f9a7
Instruction Fuzzy Hash: 95112676A05254BBC7019FAC9C09ADE7FECEB46720F404655FC24E32A1DBB0CE0087A0

Function 00ADD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00ADCFF9,00000000,00000004,00000000), ref: 00ADD218
GetLastError.KERNEL32 ref: 00ADD224
__dosmaperr.LIBCMT ref: 00ADD22B
ResumeThread.KERNEL32(00000000), ref: 00ADD249

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b516f1ddfacf985de3ecb1a8778ba20d8bfb05167db05926ed4d083d17722ba1
Instruction ID: dcdcf0dad6ffedb9bd1e781b6f4c8bdbd6ee9c0642bc74917292642efead044b
Opcode Fuzzy Hash: b516f1ddfacf985de3ecb1a8778ba20d8bfb05167db05926ed4d083d17722ba1
Instruction Fuzzy Hash: 98019236805204BBDB115BA5DC09BEB7E6DEF82731F10421AF927962D0DF718A41C6A0

Function 00AC990E Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00AC98D6
SetBkMode.GDI32(?,00000001), ref: 00AC98E9
GetStockObject.GDI32(00000005), ref: 00AC98F1
GetWindowLongW.USER32(?,000000EB), ref: 00AC9952

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: 23dd7f2d1062b341655ca24c3cd82529841405b0d9aaa986b0f8bfe22089011b
Instruction ID: 4ec01e1d4ea7871f42e7ba9d0a7ebef2a3f4b04d80952fc2fcd8b0b0c2162553
Opcode Fuzzy Hash: 23dd7f2d1062b341655ca24c3cd82529841405b0d9aaa986b0f8bfe22089011b
Instruction Fuzzy Hash: 20116B3A1471808FD7128F24ECA9EE73F64EB5371171A019DE5829B2B3CA310A02DF61

Function 00B49EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2

GetClientRect.USER32(?,?), ref: 00B49F31
GetCursorPos.USER32(?), ref: 00B49F3B
ScreenToClient.USER32(?,?), ref: 00B49F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00B49F7A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b642b13f4a4cacd3ddc0da37635fa8a0695df46c074f631ec239f8a999a1debe
Instruction ID: b215272a618aec54753bee27c944fd82fb4fd05f1bcdeb0d926f9a7dc23e47b2
Opcode Fuzzy Hash: b642b13f4a4cacd3ddc0da37635fa8a0695df46c074f631ec239f8a999a1debe
Instruction Fuzzy Hash: BD11483690111AABDB00DF68D88A9EF7BB8FB46711F000495F911E3151DB30BF86DBA1

Function 00AB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AB604C
GetStockObject.GDI32(00000011), ref: 00AB6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB606A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44399b2dcf2b8f212be99c80133408ec6674645620b259d2540481224be7d0b6
Instruction ID: bc98c09ad8ae9ccdbda27a7f655a15d6755c6f65e7092d44be37b16ff11c1c67
Opcode Fuzzy Hash: 44399b2dcf2b8f212be99c80133408ec6674645620b259d2540481224be7d0b6
Instruction Fuzzy Hash: 9411AD72102508BFEF125FA58C44EFABF6DFF097A5F044205FA0452022DB369C60DBA0

Function 00AD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00AD3B56

Part of subcall function 00AD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00AD3AD2
Part of subcall function 00AD3AA3: ___AdjustPointer.LIBCMT ref: 00AD3AED

_UnwindNestedFrames.LIBCMT ref: 00AD3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00AD3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00AD3BA4

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1b06bfc43d7b2fdfd570aea24095507482a19626668498f1402b5cf15979eb74
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: EE012933100148BBDF126F95CD46EEB3B69EF48794F04401AFE5956221C732E961EBA1

Function 00AE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AB13C6,00000000,00000000,?,00AE301A,00AB13C6,00000000,00000000,00000000,?,00AE328B,00000006,FlsSetValue), ref: 00AE30A5
GetLastError.KERNEL32(?,00AE301A,00AB13C6,00000000,00000000,00000000,?,00AE328B,00000006,FlsSetValue,00B52290,FlsSetValue,00000000,00000364,?,00AE2E46), ref: 00AE30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AE301A,00AB13C6,00000000,00000000,00000000,?,00AE328B,00000006,FlsSetValue,00B52290,FlsSetValue,00000000), ref: 00AE30BF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e6c990ae29e61eaf0abf33d5b75c8ff953ee82219ff50317ecc94083336115f0
Instruction ID: c9a5c8d3902474e1eedd31ac435e41bbb7b6e524abae9511f5aedb1257deb7ba
Opcode Fuzzy Hash: e6c990ae29e61eaf0abf33d5b75c8ff953ee82219ff50317ecc94083336115f0
Instruction Fuzzy Hash: 8601D037712262ABCF718B7BAC4CA677B98AF45B71B214620F905E7150DB21DE01C6D0

Function 00B17464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B1747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B17497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B174CA

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 92d6373567db93aa65038cc37fd6711191c95867d17149de5baf08cce2f59117
Instruction ID: 449cef0312ce811526f9d1420e977c73c6270a145cbf0e500cb2de9704a9ddde
Opcode Fuzzy Hash: 92d6373567db93aa65038cc37fd6711191c95867d17149de5baf08cce2f59117
Instruction Fuzzy Hash: 3A118EB52463109BE7208F14ED48BD27FFCEB00B00F5085A9A656D7251DF70EA84DB90

Function 00B1B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B126

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4bca52cf58e55a57f85b51667d2243dbc20e8ad6b399b86ae49937cef7d8076a
Instruction ID: 622010cd27a902f985b749d96ef14e1cc9b21b0c63dc8e3347ff7686df5212a4
Opcode Fuzzy Hash: 4bca52cf58e55a57f85b51667d2243dbc20e8ad6b399b86ae49937cef7d8076a
Instruction Fuzzy Hash: 88113C31C01518E7CF009FE4E998AEEBFB8FF0A711F6140D5D951B3181CB3056908B51

Function 00B47E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B47E33
ScreenToClient.USER32(?,?), ref: 00B47E4B
ScreenToClient.USER32(?,?), ref: 00B47E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B47E8A

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a2d2ece6004c168b0929c7ded7021d66f693eae9dc2e31bdb759b9930e8b4b2e
Instruction ID: 8f6d65e9b77d8e7e1a6ddd1be26b6c27fa0ccb7268509d4716b54d400cc95f12
Opcode Fuzzy Hash: a2d2ece6004c168b0929c7ded7021d66f693eae9dc2e31bdb759b9930e8b4b2e
Instruction Fuzzy Hash: 3D1156B9D0020AAFDB41CF98C8849EEBBF9FF09310F509156E915E3210D735AA54CF50

Function 00B12DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B12DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B12DD6
GetCurrentThreadId.KERNEL32 ref: 00B12DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B12DE4

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 9756e0e69bf12f5d35ef524ff4c3520d9a457fb23303cc98a4abdf02651bba81
Instruction ID: e2f9f542e641647a40aed78caf299a24aebef76323229b1b62003bbfd18de48e
Opcode Fuzzy Hash: 9756e0e69bf12f5d35ef524ff4c3520d9a457fb23303cc98a4abdf02651bba81
Instruction Fuzzy Hash: C0E06D752022287ADB201BA2EC0DEEB3EACFB43FA1F514065B505D30809EA08A80C6B0

Function 00B48863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AC9693
Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96A2
Part of subcall function 00AC9639: BeginPath.GDI32(?), ref: 00AC96B9
Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B48887
LineTo.GDI32(?,?,?), ref: 00B48894
EndPath.GDI32(?), ref: 00B488A4
StrokePath.GDI32(?), ref: 00B488B2

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ce0f08216f237933ae89493fb14f07ac9f6eb97c80c23222b304d63dee02e47b
Instruction ID: 071f5599872c680063f930632b176e7d072766bcb424fcac5140fe384f31df32
Opcode Fuzzy Hash: ce0f08216f237933ae89493fb14f07ac9f6eb97c80c23222b304d63dee02e47b
Instruction Fuzzy Hash: 2DF03A3A042258BADB125F98AC09FCE3F59AF06710F048140FA11661E2CB755612DBA9

Function 00AC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AC98CC
SetTextColor.GDI32(?,?), ref: 00AC98D6
SetBkMode.GDI32(?,00000001), ref: 00AC98E9
GetStockObject.GDI32(00000005), ref: 00AC98F1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 72fec19e6634c4548ef52a19530e1e17fc0069abb633d16f570c36d7b373cae7
Instruction ID: 9f3883ebcbdadfc122143945da9124bb6bd8c5ab8edbdb6b6b6694c2e79d6c34
Opcode Fuzzy Hash: 72fec19e6634c4548ef52a19530e1e17fc0069abb633d16f570c36d7b373cae7
Instruction Fuzzy Hash: 00E0ED35680280AAEB200B74AC09BEC3F60FB12B32F048219F6FA690E1CB7147408B10

Function 00B1162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B11634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B111D9), ref: 00B1163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B111D9), ref: 00B11648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B111D9), ref: 00B1164F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 99e883c99bb69a73461d179fc0901653edbb9155b5d8404de54beb915e996d1d
Instruction ID: 3e250f367cef4c17787f65a5cad12ed93de9437ef3e08a464a99a828fb3492fc
Opcode Fuzzy Hash: 99e883c99bb69a73461d179fc0901653edbb9155b5d8404de54beb915e996d1d
Instruction Fuzzy Hash: 93E04F356022119BD7A01FA49D0DB863FA8FF46B91F144848F245CA090DA7445808B54

Function 00B0D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B0D858
GetDC.USER32(00000000), ref: 00B0D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B0D882
ReleaseDC.USER32(?), ref: 00B0D8A3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1e9bd676b044e8657228c12ca11d435c59a582a9a7d58703d3897c88a2568854
Instruction ID: f29624f6170f2dcdd265aef62ae45f0357fb1eb66f328d976ce39a0025382ab8
Opcode Fuzzy Hash: 1e9bd676b044e8657228c12ca11d435c59a582a9a7d58703d3897c88a2568854
Instruction Fuzzy Hash: 79E01AB8801204DFCB819FA0D908A6DBFB5FB09710F11C059F806E7260CB388A01EF40

Function 00B0D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B0D86C
GetDC.USER32(00000000), ref: 00B0D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B0D882
ReleaseDC.USER32(?), ref: 00B0D8A3

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 96df5f62abb1959dac55337fbcefefef842cc1d65426ab94c4c70ed06e62c24f
Instruction ID: 610d1e5ac67dc95c225c313c09f46919b1a6ef8e70bdc557adc03af072e7621d
Opcode Fuzzy Hash: 96df5f62abb1959dac55337fbcefefef842cc1d65426ab94c4c70ed06e62c24f
Instruction Fuzzy Hash: 4CE092B9801204EFCB91AFA4D908A6DBFB5BB09B11B159459F94AE7260CB385A01EF50

Function 00B24D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B24ED4

Strings

*, xrefs: 00B24E10
LPT, xrefs: 00B24DFB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b8a32cda7f54faf6d178aef0083ed8e81d1836d7ae64cca20d35400612ccf5dc
Instruction ID: 7a187c0b3ca284cdc7b7fad6120589972d87515bb868f22ac5a54329776109c6
Opcode Fuzzy Hash: b8a32cda7f54faf6d178aef0083ed8e81d1836d7ae64cca20d35400612ccf5dc
Instruction Fuzzy Hash: 77917C75A002149FCB14DF58D584EAABBF5EF88304F1980D9E80E9B7A2C771ED85CB90

Function 00ADE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00ADE30D

Strings

pow, xrefs: 00ADE2E5, 00ADE302

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5814c09c87ad6fb9aad15955704c09164f2ef3db57d256f07b013a15c67f2cdc
Instruction ID: bf6857759c62caa45559f6b291fc658c0a77b024ea14f8f1f2b12ff5b49b7069
Opcode Fuzzy Hash: 5814c09c87ad6fb9aad15955704c09164f2ef3db57d256f07b013a15c67f2cdc
Instruction Fuzzy Hash: 24515A71A0D24296CB15F719DE413BD3BA8AB40741F344D9AE0978B3A9EF358C819E86

Function 00ACE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00ACE1B1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8bb1534c911b76961dbf11988c8ec5936bf23d2a24791bbb7592e8f1f4dae7e2
Instruction ID: efcfb8abb5546cf7f7d4f0cc02ba14dce9e7bc858a83262ad72cc3c6e65e7d77
Opcode Fuzzy Hash: 8bb1534c911b76961dbf11988c8ec5936bf23d2a24791bbb7592e8f1f4dae7e2
Instruction Fuzzy Hash: 315100755002469FDF15DF68C081BFA7FE8EF25310F248499E8A19B2D1DA34DD42CBA0

Function 00ACF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00ACF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00ACF2BB

Strings

@, xrefs: 00ACF2AF

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c0f1988d151eacad0669bf30ba89a454da0bc95cff2bda1bf92a167ba999d738
Instruction ID: 0b27dc426897d40191d3ff41e8834d38e6651479f6c288899c677765d0c44fab
Opcode Fuzzy Hash: c0f1988d151eacad0669bf30ba89a454da0bc95cff2bda1bf92a167ba999d738
Instruction Fuzzy Hash: B85137714087449BD320AF14DD86BAFBBFCFB84710F81885DF1D942196EB718529CB66

Function 00B35745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00B357E0
_wcslen.LIBCMT ref: 00B357EC

Strings

CALLARGARRAY, xrefs: 00B357E6, 00B357EB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d8558e83fd81e03e14f8667b6b933ed6c7d7210bc9b7003fe16c9d0970a48378
Instruction ID: dd4e127d3bbea6f2b1d85d7fe7f6f5861c575fc1ef3f135eaa63c4120becefda
Opcode Fuzzy Hash: d8558e83fd81e03e14f8667b6b933ed6c7d7210bc9b7003fe16c9d0970a48378
Instruction Fuzzy Hash: 1D419275E002099FCB14DFA9C9819FEBBF9FF59310F2040A9E515A7252E7309D81CB90

Function 00B2D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B2D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B2D13A

Strings

|, xrefs: 00B2D10B

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 9c86bf30696d40cb38449e0161409bd264ba2576a383528c42bed77e75fc5af3
Instruction ID: d979c8d66ad179288b443698b3becacf5b23719ace3a5e136d1f2019a810ec88
Opcode Fuzzy Hash: 9c86bf30696d40cb38449e0161409bd264ba2576a383528c42bed77e75fc5af3
Instruction Fuzzy Hash: F6313D71D00219ABCF15EFA5DD85AEEBFB9FF04300F100059F819B61A2E735AA16CB50

Function 00B4356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B43621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B4365C

Strings

static, xrefs: 00B435BC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 970c775f54db154838a82fe8f554434ac50362cc503ec74b98637240b4cf15cb
Instruction ID: 41c9df10f3c93116ab648b7cc1b917cc797c7bcc2e2da2abd135b562a8c5ac0c
Opcode Fuzzy Hash: 970c775f54db154838a82fe8f554434ac50362cc503ec74b98637240b4cf15cb
Instruction Fuzzy Hash: D9319C71100204AEDB109F38DC81EFB77E9FF98B20F058619F8A597290DA30AE91E760

Function 00B44537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B4461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B44634

Strings

', xrefs: 00B4458E

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 6dd876f1cdcaf64376e22f216b6d0c44db9b7263ca38709a6f67de2ffbc4f887
Instruction ID: d8291d29058d46b76d9d75d65ba26cf9783d17f2663c9bd151c4d9ae178d903f
Opcode Fuzzy Hash: 6dd876f1cdcaf64376e22f216b6d0c44db9b7263ca38709a6f67de2ffbc4f887
Instruction Fuzzy Hash: 40313874A0121A9FDF14CFA9C981BDABBF5FF19300F1144AAE904AB351D770AA51DF90

Function 00B431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B4327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B43287

Strings

Combobox, xrefs: 00B43249

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: fb79915fa087629142b73ce400c1ffd95ea04eaea1ce1b0acd0842306c2aacf3
Instruction ID: 0f8036080d84b472fe64b326e3ac1d7eccfb911814d0e232a04ee68c85d1cd09
Opcode Fuzzy Hash: fb79915fa087629142b73ce400c1ffd95ea04eaea1ce1b0acd0842306c2aacf3
Instruction Fuzzy Hash: 6311E2713002087FFF219E54DC80EBB3BEEEB98764F144164F918A7290D6B19E51A760

Function 00B43710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AB604C
Part of subcall function 00AB600E: GetStockObject.GDI32(00000011), ref: 00AB6060
Part of subcall function 00AB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB606A

GetWindowRect.USER32(00000000,?), ref: 00B4377A
GetSysColor.USER32(00000012), ref: 00B43794

Strings

static, xrefs: 00B43757

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c44cbf817315010ed461090e63f0f0c4b2c8aa1ef19e70e8b4e392c5d78ba5f7
Instruction ID: 0f5b97286a90d10f88f6c3712792d6d52e61a3861c5c8df3b256eb574e34529b
Opcode Fuzzy Hash: c44cbf817315010ed461090e63f0f0c4b2c8aa1ef19e70e8b4e392c5d78ba5f7
Instruction Fuzzy Hash: C21129B2610209AFDB00DFA8CC46EEA7BF8FB09714F044955F995E3250DB35E9519B50

Function 00B2CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B2CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B2CDA6

Strings

<local>, xrefs: 00B2CD66

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 436e562d381e9add0e9861e48c6b92762e27d663a530c8915a5d565a1dd896dc
Instruction ID: b061552b6efd2a1c07549f74c57f38c00a8bdb5cbe9b9ceb2b88fc6865910f12
Opcode Fuzzy Hash: 436e562d381e9add0e9861e48c6b92762e27d663a530c8915a5d565a1dd896dc
Instruction Fuzzy Hash: 081106752016317AD7344B669C84EEBBEECEF127E4F1042B6B11D83090D7749944D6F0

Function 00B43429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B434BA

Strings

edit, xrefs: 00B4348F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: aa1a8dffd961561abfa71ac4b60fdb963a688d6a0ec92cf18d6f39c6e417a744
Instruction ID: b81ae8d42a3535dd417ee4b87cc2e1cc53ab7f23e48dc0f5c72edc6b7173ada1
Opcode Fuzzy Hash: aa1a8dffd961561abfa71ac4b60fdb963a688d6a0ec92cf18d6f39c6e417a744
Instruction Fuzzy Hash: E011C171100108AFEB124E68DC80AFB3BEAEF15B74F544364F965932E0C735DE91A750

Function 00B16C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00B16CB6
_wcslen.LIBCMT ref: 00B16CC2

Strings

STOP, xrefs: 00B16CBC, 00B16CC1

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 04e19882638269d0830f27aac68f392eb34524e59a68eeb5227ae27a3ac277ff
Instruction ID: 31eabc8ff097d3257ad659fe235e017ace91d2353c2aa244ae43aa66b824cd0d
Opcode Fuzzy Hash: 04e19882638269d0830f27aac68f392eb34524e59a68eeb5227ae27a3ac277ff
Instruction Fuzzy Hash: 0001C432A0052A8BCB209FBDDD809FF77E9EA6171079005B4E86297191EB31D980C690

Function 00B11CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B11D4C

Strings

ListBox, xrefs: 00B11D16
ComboBox, xrefs: 00B11CEB

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3485fffd2b14e05e0c63a80e87bba586f790bf09c60a80f7d777aa44300d0cfb
Instruction ID: 5445caa9529c10ba72d11726f5fac9fcb0a1d5a35e8f5d3122d91802e27f4e63
Opcode Fuzzy Hash: 3485fffd2b14e05e0c63a80e87bba586f790bf09c60a80f7d777aa44300d0cfb
Instruction Fuzzy Hash: 5B012431601218AB8B18EFA8DD91CFF77E8FB02350B500A69F932673D2EA315948C660

Function 00B11BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B11C46

Strings

ListBox, xrefs: 00B11C10
ComboBox, xrefs: 00B11BE5

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0e45551f47c989a75d61aef1763eb9e380f98ed5807913afe6a37bc25a479c7b
Instruction ID: e32859c049ca5a808ed68d35042d5e04ac9a0f0093d09b9767d7737d79416acd
Opcode Fuzzy Hash: 0e45551f47c989a75d61aef1763eb9e380f98ed5807913afe6a37bc25a479c7b
Instruction Fuzzy Hash: 1301F7757811086BCB14EB94CA919FF77ECDB12340F500459AA1667282EA209F4886F1

Function 00B11C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B11CC8

Strings

ListBox, xrefs: 00B11C94
ComboBox, xrefs: 00B11C69

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2c0b5ea7b4a1944e1c0e188e8a8ebacd7cf665f468f2d010efd2c514fef3c9f3
Instruction ID: 7efab81e72e553f328a86aeaa324db3de703df6fb06d11bba14e288f642cb848
Opcode Fuzzy Hash: 2c0b5ea7b4a1944e1c0e188e8a8ebacd7cf665f468f2d010efd2c514fef3c9f3
Instruction Fuzzy Hash: 0F01D6756812186BCF14EBA4CB41AFF77ECDB12740F940455BA06B7282FA619F48C6F2

Function 00B11D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD

Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B11DD3

Strings

ListBox, xrefs: 00B11DA0
ComboBox, xrefs: 00B11D75

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8925d14aea0934319ef951de495757b031d284d599a7c8bf0f54b7622717b554
Instruction ID: c0687419ab742f26d10cdf310d85f1fa692f492cdedddacfd3f90085d58f9d96
Opcode Fuzzy Hash: 8925d14aea0934319ef951de495757b031d284d599a7c8bf0f54b7622717b554
Instruction Fuzzy Hash: C3F0F971A4121867CB14E7A4DD91BFF77FCEB02740F440D55B922632C2EA605A088260

Function 00B3747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B37493
_wcslen.LIBCMT ref: 00B374B9

Strings

3, 3, 16, 1, xrefs: 00B37483

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: cc05851debe58349b4182dddb791e31f0a6c1b0240d2cfd4ad72ff7ee546f915
Instruction ID: c4614b946a2fd36e784673893305c67727a17569a41a6a3d01665281a5de132c
Opcode Fuzzy Hash: cc05851debe58349b4182dddb791e31f0a6c1b0240d2cfd4ad72ff7ee546f915
Instruction Fuzzy Hash: 3BE02B42254320219231137A9DC197F76C9CFCD750B20186BF996C2366EEA49D9293A0

Function 00B10B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B10B23

Strings

Error allocating memory., xrefs: 00B10B1C
AutoIt, xrefs: 00B10B17

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 62b8b921356752617e20820fa673fd9c26108566b66ca373ece46f8f60d7d70b
Instruction ID: 81de42c8e31724a928318eec093eb6666441f77fd1011a65c1ad458a043b2385
Opcode Fuzzy Hash: 62b8b921356752617e20820fa673fd9c26108566b66ca373ece46f8f60d7d70b
Instruction Fuzzy Hash: 14E0D8322893183BD25037947D03FC97FC9CF05F10F10446AF758555D38EE1259016E9

Function 00AD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ACF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00AD0D71,?,?,?,00AB100A), ref: 00ACF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00AB100A), ref: 00AD0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AB100A), ref: 00AD0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AD0D7F

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a7bef0b1a009214ab537dcd0a3aa1cfb89eac17ffd6132474019dd144e222300
Instruction ID: 7d70f7a2b10687ba39396f3523113ada6237c2357c9751f1e08b87fd49c06667
Opcode Fuzzy Hash: a7bef0b1a009214ab537dcd0a3aa1cfb89eac17ffd6132474019dd144e222300
Instruction Fuzzy Hash: 8AE06D742003118BD3609FBCE504B927BE5BB04B41F00496EE483C7762EBF0E544CBA1

Function 00B23017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B2302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B23044

Strings

aut, xrefs: 00B23038

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 7fd593ff9066f0a31beda7e9878ebab7e77cb630607fbd90689bcda53e600888
Instruction ID: 6697bb3c676793916f5f401a2332c3cbb9628cac6667cebda2c4ed3fe65b2115
Opcode Fuzzy Hash: 7fd593ff9066f0a31beda7e9878ebab7e77cb630607fbd90689bcda53e600888
Instruction Fuzzy Hash: ECD05E7650132867DA60A7A4AC0EFCB3F6CEB05B50F0002A1B655E30A1DEF09A84CAD4

Function 00B42322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B4232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B4233F

Part of subcall function 00B1E97B: Sleep.KERNEL32 ref: 00B1E9F3

Strings

Shell_TrayWnd, xrefs: 00B42325

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 96c0b46e91fa74ef89a2461bec019fc2f68b69a4d95edd776d88d7f1249adddc
Instruction ID: 4d3758b18acf9b0164e5eadba15ec0c1f08f84eafc5ddef3a132a7328f8f4302
Opcode Fuzzy Hash: 96c0b46e91fa74ef89a2461bec019fc2f68b69a4d95edd776d88d7f1249adddc
Instruction Fuzzy Hash: 7DD0A93A381300B6E2A8A3309C0FFCA6A64AB00B00F0089027B1AAB0E0C9B0A8008A00

Function 00B42356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B4236C
PostMessageW.USER32(00000000), ref: 00B42373

Part of subcall function 00B1E97B: Sleep.KERNEL32 ref: 00B1E9F3

Strings

Shell_TrayWnd, xrefs: 00B42365

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 79d9a6a0da48a2ca3cdd9b57509b65de2591a71c6560b97b85491e8eee5bd1d7
Instruction ID: e4a247f03e9b9f0aa469d40f52c27ae28f71cd9de85b3202f9bcca7fbd1a77c2
Opcode Fuzzy Hash: 79d9a6a0da48a2ca3cdd9b57509b65de2591a71c6560b97b85491e8eee5bd1d7
Instruction Fuzzy Hash: 13D0A9363823007AE2A8A3309C0FFCA6A64AB01B00F4089027B16AB0E0C9B0A8008A04

Function 00AEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00AEBE93
GetLastError.KERNEL32 ref: 00AEBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AEBEFC

Memory Dump Source

Source File: 00000000.00000002.1801349340.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1801312099.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801444042.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801542524.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801580744.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7611ce9af5ed28a9161d6df5a0114fe4e2f78de17a70f12ae8b848ff38f7f44d
Instruction ID: b930779786668cb23396d45e2a6b9f10501384eac58f66a33d8e4ef4a758dc77
Opcode Fuzzy Hash: 7611ce9af5ed28a9161d6df5a0114fe4e2f78de17a70f12ae8b848ff38f7f44d
Instruction Fuzzy Hash: 2741D534611286AFCF21DFA6CD58ABB7BB5AF42710F144169F959A72A1DB30CD00DBB0

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1967333030.00000297DFA4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1959192955.00000297DFC7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1954972760.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911639938.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922653573.00000297E6C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1954972760.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911639938.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922653573.00000297E6C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1954972760.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911639938.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1820978950.00000297E006C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1820978950.00000297E006C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/Could not find branch slug nimbus:studies-enabled-changednimbus-desktop-experiments did not match due to targeting equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1954972760.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911639938.00000297E87D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922653573.00000297E6C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3588737607.00000246D6F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3588737607.00000246D6F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3588737607.00000246D6F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3588485455.000001974180A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&O equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1955039040.00000297E7FCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963107447.00000297E7FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1955039040.00000297E7FCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1963107447.00000297E7FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1920249293.00000297DF8F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49812 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cdd0de23-27da-4499-8c01-b2b6a4720476.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cdd0de23-27da-4499-8c01-b2b6a4720476.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MEFCKG4WZIHG1ROS00XY.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MWAFZQWL37PFK0KKM0F2.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre