Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574370
MD5:	a42c2512c7c450e1f1be312fbd38ac1b
SHA1:	830655bc2ae30b03b1b6f31f1f8229c15a9c712b
SHA256:	f4eecef17c99bb3d44793ec672f3c26c4cc2972578a95d7c1afc4945aa43b0f2
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5656 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A42C2512C7C450E1F1BE312FBD38AC1B)

taskkill.exe (PID: 4268 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6480 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1492 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6176 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1680 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 1248 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6484 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5688 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4320 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80db43b3-06a6-45fd-ab72-eb115fc5e68b} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2291416e710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7184 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e3adfb9-24e3-44e8-97eb-6a9063139a69} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 229269f3e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7728 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cd9c003-7a83-40b4-a5f0-67db82c62fcc} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2292bd7ab10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5656	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_008EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008EED6A

Source: C:\Users\user\Desktop\file.exe

0_2_008EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008DAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00909576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00909576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_12b92518-d
Source: file.exe, 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_86405b3b-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6c0d0c9a-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_870ca150-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000147D34A2377 NtQuerySystemInformation,		17_2_00000147D34A2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000147D3519D32 NtQuerySystemInformation,		17_2_00000147D3519D32

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008DD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008DE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E2046	0_2_008E2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878060	0_2_00878060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D8298	0_2_008D8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AE4FF	0_2_008AE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A676B	0_2_008A676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00904873	0_2_00904873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089CAA0	0_2_0089CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087CAF0	0_2_0087CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088CC39	0_2_0088CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A6DD9	0_2_008A6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008791C0	0_2_008791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088B119	0_2_0088B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891394	0_2_00891394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891706	0_2_00891706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089781B	0_2_0089781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008919B0	0_2_008919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00877920	0_2_00877920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088997D	0_2_0088997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00897A4A	0_2_00897A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00897CA7	0_2_00897CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891C77	0_2_00891C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A9EEE	0_2_008A9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FBE44	0_2_008FBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891F32	0_2_00891F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000147D34A2377	17_2_00000147D34A2377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000147D3519D32	17_2_00000147D3519D32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000147D351A45C	17_2_00000147D351A45C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_00000147D3519D72	17_2_00000147D3519D72

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00879CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00890A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0088F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/41@79/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E37B5 GetLastError,FormatMessageW,

0_2_008E37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D10BF AdjustTokenPrivileges,CloseHandle,		0_2_008D10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008D16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008E51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008DD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008E648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008742A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2232260542.000002292E9BF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80db43b3-06a6-45fd-ab72-eb115fc5e68b} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2291416e710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e3adfb9-24e3-44e8-97eb-6a9063139a69} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 229269f3e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cd9c003-7a83-40b4-a5f0-67db82c62fcc} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2292bd7ab10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80db43b3-06a6-45fd-ab72-eb115fc5e68b} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2291416e710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e3adfb9-24e3-44e8-97eb-6a9063139a69} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 229269f3e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cd9c003-7a83-40b4-a5f0-67db82c62fcc} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2292bd7ab10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2174572873.000002292FC13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2260639343.0000022923DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2255811606.0000022923DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2256975553.0000022923DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2260639343.0000022923DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2255811606.0000022923DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2256628548.000002292FC13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2174572873.000002292FC13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2256975553.0000022923DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2256628548.000002292FC13000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00890A76 push ecx; ret

0_2_00890A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0088F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00901C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00901C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96521

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000147D34A2377 rdtsc

17_2_00000147D34A2377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008DDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AC2A2 FindFirstFileExW,	0_2_008AC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E68EE FindFirstFileW,FindClose,	0_2_008E68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008E698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008DD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008DD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008E9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008E979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008E9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008E5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Source: firefox.exe, 00000011.00000002.3903910555.00000147D2CDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@fT
Source: firefox.exe, 00000010.00000002.3910838729.00000222BA600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: file.exe, 00000000.00000003.2121417290.0000000001323000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120439785.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2119927647.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118008768.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120670811.00000000012F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: firefox.exe, 00000011.00000002.3909883109.00000147D3550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*;
Source: firefox.exe, 00000010.00000002.3910838729.00000222BA600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3904250773.00000222B9FEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3909883109.00000147D3540000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3903916407.000001AB4C75A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909424305.000001AB4CC00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3910155378.00000222BA51D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3909883109.00000147D3550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX8V
Source: file.exe, 00000000.00000003.2121869626.00000000012F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2123085969.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120439785.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2119927647.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118008768.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120670811.00000000012F3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3910838729.00000222BA600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3909883109.00000147D3550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_00000147D34A2377 rdtsc

17_2_00000147D34A2377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EEAA2 BlockInput,

0_2_008EEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008A2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00894CE8 mov eax, dword ptr fs:[00000030h]

0_2_00894CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008D0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008A2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0089083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008909D5 SetUnhandledExceptionFilter,	0_2_008909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00890C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00890C21

Source: C:\Users\user\Desktop\file.exe

0_2_008D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008B2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DB226 SendInput,keybd_event,

0_2_008DB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008F22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_008D0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008D1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00890698 cpuid

0_2_00890698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008CD21C GetLocalTime,

0_2_008CD21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008CD27A GetUserNameW,

0_2_008CD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_008AB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5656, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5656, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_008F1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	32%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.110	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3906080801.000001AB4CBC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2232260542.000002292E9BF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2254741816.0000022925ED0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233426200.000002292D187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262627723.0000022925ED0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2202895155.000002292BE47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3906468389.00000222BA4E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905402062.00000147D30E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909635648.000001AB4CD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3906080801.000001AB4CB8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2119885542.0000022924964000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2282195334.000002292C228000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2188650740.000002292C0E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243902190.000002292C0E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2323252355.0000022921ECC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2320003585.0000022923E37000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2095630449.000002292411F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095767949.000002292413C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095446566.0000022923F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2096024055.0000022924177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095886243.000002292415A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2266136656.000002292D7A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188368953.000002292D7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2267649308.000002292CA5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282157724.000002292CAA1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2189250009.000002292BF25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248719137.000002292BF25000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2189124567.000002292BF3B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2232814112.000002292E532000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095446566.0000022923F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2096024055.0000022924177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095886243.000002292415A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000E.00000003.2249333487.0000022927966000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/0	firefox.exe, 0000000E.00000003.2318235706.00003562CA403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317744148.00003A5B22403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2318054862.000019DAEC303000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2095630449.000002292411F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095767949.000002292413C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095446566.0000022923F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2096024055.0000022924177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095886243.000002292415A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000E.00000003.2189530471.00000229278E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252123735.00000229266C7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2300628152.000002292CA2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2258626655.000002292C088000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2189124567.000002292BF4B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.2265179006.00000229256F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114642891.00000229256F5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2258626655.000002292C088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905402062.00000147D3003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3906080801.000001AB4CB0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2161692256.0000022924C35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2163057908.0000022924C51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162957236.0000022924C49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2300686626.000002292CA21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3906080801.000001AB4CBC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2308472994.0000022923F79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2161692256.0000022924C35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2130094487.0000022925F2C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2233426200.000002292D1A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2266136656.000002292D7A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188368953.000002292D7A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2263531160.0000022925E2A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2274197587.000002292DE70000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3906468389.00000222BA4E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905402062.00000147D30E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909635648.000001AB4CD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3906468389.00000222BA4E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905402062.00000147D30E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909635648.000001AB4CD03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2189124567.000002292BF50000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3906080801.000001AB4CB13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3905608284.000001AB4CAD0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2189250009.000002292BF25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248719137.000002292BF25000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2271223869.0000022924E6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304913099.0000022924E6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2226599838.0000022925FF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223288118.00000229253E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2237674839.000002292F439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2133068925.00000229253C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282646480.000002292664C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277496093.0000022926DCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2178652803.00000229254C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2199216636.0000022925DC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2202895155.000002292BE29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2243962656.000002292BD87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308656903.0000022923F4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2143984559.0000022925FF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2102660916.00000229254DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2133483705.00000229254C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2199216636.0000022925DBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260986526.00000229246FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2102848321.00000229246FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252123735.00000229266B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2312214328.00000229246D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234827967.000002292461E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277496093.0000022926D95000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2249333487.0000022927966000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2249333487.0000022927966000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2188889145.000002292BF82000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2265179006.00000229256F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114642891.00000229256F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188678836.000002292BFB1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2265179006.00000229256F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2114642891.00000229256F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2188678836.000002292BFB1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2271223869.0000022924E6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2304913099.0000022924E6F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2202895155.000002292BE47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2119885542.0000022924964000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2267746421.000002292C25F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2189124567.000002292BF3B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2233426200.000002292D1A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2254521840.000002292602B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319653925.000002292602B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2278236289.0000022926D8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269268356.0000022926D88000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2161692256.0000022924C35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2163057908.0000022924C51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2162957236.0000022924C49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2300686626.000002292CA21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2258626655.000002292C088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2119885542.0000022924964000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2300560216.000002292CA3B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3905655216.00000222BA1A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3909503557.00000147D34D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3905228912.000001AB4C8C0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2095886243.000002292415A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2095630449.000002292411F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321390952.0000022923A74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095767949.000002292413C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2321153509.0000022923AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095446566.0000022923F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2096024055.0000022924177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2095886243.000002292415A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2189250009.000002292BF25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248719137.000002292BF25000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574370
Start date and time:	2024-12-13 10:02:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/41@79/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.228.225.150, 35.85.93.176, 54.213.181.160, 172.217.17.46, 88.221.134.155, 88.221.134.209, 142.250.181.106, 142.250.181.138, 23.218.208.109, 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
FASTLYUS	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	151.101.66.137
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	151.101.0.223
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	secure.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.110.153
	archive.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.111.153
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	185.199.108.153
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.0.41.226
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	51.92.80.67

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a0db2de6-1356-4b50-aed9-b90b8e0410fc.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1740859204053224
Encrypted:	false
SSDEEP:	192:OKMXHzEcbhbVbTbfbRbObtbyEl7n2LLrpJA6wnSrDtTkd/S+:OP4cNhnzFSJWLLrEjnSrDhkd/X
MD5:	A3892B88F2E33C33BD9DAC35B313D73E
SHA1:	DE8A0EA991CB1C69583D5BF8402B79A6AD6FD970
SHA-256:	A7030F747CC48EED6D173D026F941EEBAF55EED105194A4AACAC75E89717A690
SHA-512:	B33CD93DD8B0A4534570D3D23D52CCC402713E192A14540C13D2836D954DEABD04ABD807DEFC3DA2D3AC022D993E3E0257EC96388C1587AC7CFCE34A398F1ECD
Malicious:	false
Preview:	{"type":"uninstall","id":"a0db2de6-1356-4b50-aed9-b90b8e0410fc","creationDate":"2024-12-13T10:16:32.017Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a0db2de6-1356-4b50-aed9-b90b8e0410fc.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1740859204053224
Encrypted:	false
SSDEEP:	192:OKMXHzEcbhbVbTbfbRbObtbyEl7n2LLrpJA6wnSrDtTkd/S+:OP4cNhnzFSJWLLrEjnSrDhkd/X
MD5:	A3892B88F2E33C33BD9DAC35B313D73E
SHA1:	DE8A0EA991CB1C69583D5BF8402B79A6AD6FD970
SHA-256:	A7030F747CC48EED6D173D026F941EEBAF55EED105194A4AACAC75E89717A690
SHA-512:	B33CD93DD8B0A4534570D3D23D52CCC402713E192A14540C13D2836D954DEABD04ABD807DEFC3DA2D3AC022D993E3E0257EC96388C1587AC7CFCE34A398F1ECD
Malicious:	false
Preview:	{"type":"uninstall","id":"a0db2de6-1356-4b50-aed9-b90b8e0410fc","creationDate":"2024-12-13T10:16:32.017Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1EARW9TUGSEIOLD6ER95.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.306912261387995
Encrypted:	false
SSDEEP:	48:6d+bwQUgdwPz8d+bw06BdwJ2d+bw0adwL1:IQ0G0J
MD5:	A08776883E762A5FA175FA9EFA00BAD7
SHA1:	C17BEB89DF2F6A717C2970157DCD81AFF2BFC911
SHA-256:	CB9F8386B84DEDB7F1DEBD548729ED1BD4E17A2BC1EDA3326757FDC5D3FF3D27
SHA-512:	7E0A3A1B7DE0332FA98046DABCA64BD8A21A599ED9CEA641741A85DD28327EAE7F28278D96B42ECA15BEA9D47755106B35FB0D31540682DFC749AC12A757CA9F
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........8.=M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y{H....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y{H............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y{H..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............y......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.306912261387995
Encrypted:	false
SSDEEP:	48:6d+bwQUgdwPz8d+bw06BdwJ2d+bw0adwL1:IQ0G0J
MD5:	A08776883E762A5FA175FA9EFA00BAD7
SHA1:	C17BEB89DF2F6A717C2970157DCD81AFF2BFC911
SHA-256:	CB9F8386B84DEDB7F1DEBD548729ED1BD4E17A2BC1EDA3326757FDC5D3FF3D27
SHA-512:	7E0A3A1B7DE0332FA98046DABCA64BD8A21A599ED9CEA641741A85DD28327EAE7F28278D96B42ECA15BEA9D47755106B35FB0D31540682DFC749AC12A757CA9F
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........8.=M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y{H....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y{H............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y{H..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............y......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.306912261387995
Encrypted:	false
SSDEEP:	48:6d+bwQUgdwPz8d+bw06BdwJ2d+bw0adwL1:IQ0G0J
MD5:	A08776883E762A5FA175FA9EFA00BAD7
SHA1:	C17BEB89DF2F6A717C2970157DCD81AFF2BFC911
SHA-256:	CB9F8386B84DEDB7F1DEBD548729ED1BD4E17A2BC1EDA3326757FDC5D3FF3D27
SHA-512:	7E0A3A1B7DE0332FA98046DABCA64BD8A21A599ED9CEA641741A85DD28327EAE7F28278D96B42ECA15BEA9D47755106B35FB0D31540682DFC749AC12A757CA9F
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........8.=M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y{H....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y{H............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y{H..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............y......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GZGTLR0P67T7P0MSAY4C.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.306912261387995
Encrypted:	false
SSDEEP:	48:6d+bwQUgdwPz8d+bw06BdwJ2d+bw0adwL1:IQ0G0J
MD5:	A08776883E762A5FA175FA9EFA00BAD7
SHA1:	C17BEB89DF2F6A717C2970157DCD81AFF2BFC911
SHA-256:	CB9F8386B84DEDB7F1DEBD548729ED1BD4E17A2BC1EDA3326757FDC5D3FF3D27
SHA-512:	7E0A3A1B7DE0332FA98046DABCA64BD8A21A599ED9CEA641741A85DD28327EAE7F28278D96B42ECA15BEA9D47755106B35FB0D31540682DFC749AC12A757CA9F
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........8.=M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y{H....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y{H............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y{H..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............y......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923843540455199
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNc9z0xeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LvG8P
MD5:	C3BE404DA15AB9FB4F6044D6757F55DB
SHA1:	419F58C5118548D5ABB198F553D81E64978CB010
SHA-256:	581B85AD6EEC386E85EF800D974AB6AA2839F859C057BC17AF7D79C63AE4667A
SHA-512:	E1561585AE49ED26C133D1EFD753BDEB7F215F2DE5BE5F55B2AC8DB83FF157AEF23936B440DB2494EA6D287F958A8BCA2899FF6AFB49E7B50D184634E5F5F1E8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.923843540455199
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNc9z0xeh:8S+OVPUFRbOdwNIOdYpjvY1Q6LvG8P
MD5:	C3BE404DA15AB9FB4F6044D6757F55DB
SHA1:	419F58C5118548D5ABB198F553D81E64978CB010
SHA-256:	581B85AD6EEC386E85EF800D974AB6AA2839F859C057BC17AF7D79C63AE4667A
SHA-512:	E1561585AE49ED26C133D1EFD753BDEB7F215F2DE5BE5F55B2AC8DB83FF157AEF23936B440DB2494EA6D287F958A8BCA2899FF6AFB49E7B50D184634E5F5F1E8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07314260413521964
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki5:DLhesh7Owd4+ji
MD5:	BF72F139B2E65A50371AD6D16CD9CEF0
SHA1:	EEDEBC25558956F08EAD16F0A5A2FC4580994AFE
SHA-256:	8197D52A581E4E35F49FC100CB2C131D26CCE45D4BF1CC1FD003520D341E2E29
SHA-512:	ED59DD3FE0188598999FD9DA18AB0C47B8F326D78538BBA5F6DAD36B9E95C7915021A0CDAD286999A1E1480F73DCCB276ECD9F67627A5E772F27B33312349248
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.038492765067426785
Encrypted:	false
SSDEEP:	3:GHlhVEvaFlv0OA9olHlhVEvaFlv0OAlSl8a9//Ylll4llqlyllel4lt:G7VEvWYil7VEvWYAL9XIwlio
MD5:	857FE0D7EA2A1BFF414242F1E34F7CD3
SHA1:	B17FB2F6B03D428F4C5CBA7C09F7624E945515C2
SHA-256:	A18BBA35229F6DD0878A1F376D84250BFA54277C599CA8121AAE6A16BA0950FA
SHA-512:	3540D3273F5976B4FE679D71D900F371A8205404B62F5B76611FD35903391C2499A4F9F35D3B3103FF717A764127DE2B2D62E1B6BB1A39128D790CEB47B519F4
Malicious:	false
Preview:	..-......................7.J.@%.O..e.fHi.n....2...-......................7.J.@%.O..e.fHi.n....2.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.1334994130768157
Encrypted:	false
SSDEEP:	24:KZ9fkLfLxsZ+/2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD2Swd:MMhQ62VJCXs4qLWeJa1VyrqZk
MD5:	415D4BA7EC63FCDFC784483B6449C8CF
SHA1:	7680939013F9C539ABEDD72359A4919D69E1ECEF
SHA-256:	1EC02B1C97D4CCC74F2DCAD15E9878AC748AA807A0821CE323115B8E6BF986B9
SHA-512:	A66A93942EA8D2364CFA2C095ABC5D86035BA79B591C56C4018624C4C570643F4F6C65E49093FE2DED58F4FF01C161562D55A538FE10F5C140BEB5C449DBE204
Malicious:	false
Preview:	7....-..........O..e.fHi;..b]'..........O..e.fHi...9.H..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477414660504424
Encrypted:	false
SSDEEP:	192:/nPOeRnLYbBp6AJ0aX+t6SEXKR2Nn55RHWNBw8d1JSl:3DeBJU0AytHEwIJ0
MD5:	372820D9E44F44F241541B4D5C1F4EEE
SHA1:	3BE3942438CB955CA589CDFB691697D218E902B4
SHA-256:	E5C1A096C965C8A60261A062DB3C409F4A71611E33B22BD626D0C95E24C31609
SHA-512:	F4F614D17AED08DC5436F3938C9346FD0765BE5B639076D714798969F745EAD5CABDAB7400828EBE55BA79D470B39411C7958DEEA2E79C58F45453383AFF8C5D
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734084962);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734084962);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734084962);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477414660504424
Encrypted:	false
SSDEEP:	192:/nPOeRnLYbBp6AJ0aX+t6SEXKR2Nn55RHWNBw8d1JSl:3DeBJU0AytHEwIJ0
MD5:	372820D9E44F44F241541B4D5C1F4EEE
SHA1:	3BE3942438CB955CA589CDFB691697D218E902B4
SHA-256:	E5C1A096C965C8A60261A062DB3C409F4A71611E33B22BD626D0C95E24C31609
SHA-512:	F4F614D17AED08DC5436F3938C9346FD0765BE5B639076D714798969F745EAD5CABDAB7400828EBE55BA79D470B39411C7958DEEA2E79C58F45453383AFF8C5D
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734084962);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734084962);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734084962);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\6baa7e07-47c4-41e9-9d28-ebc3308c7d8c (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.951602849618236
Encrypted:	false
SSDEEP:	12:YZFgq1rcHGJD0TaIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:Y51wmh0TaSlCOlZGV1AQIWZcy6ZXvx
MD5:	E322832C30F5099FF497545B3131A71C
SHA1:	E2335754CE8CD834E1A2F650302243D95D3534ED
SHA-256:	B4994253F9CE57CE44FFBEB308399082D3C14DA0B31DD60290F9EB749B714DA5
SHA-512:	F2D68B38AF4A77F6F00685D5AA769E4C57E136A1D2CA4E277ACCEADE9D1B5D7C6FD2E490D2604F3FF5F377EC8EBBAAB524C363D7DD736EDB5B0434E29637FEB4
Malicious:	false
Preview:	{"type":"health","id":"6baa7e07-47c4-41e9-9d28-ebc3308c7d8c","creationDate":"2024-12-13T10:16:33.302Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\6baa7e07-47c4-41e9-9d28-ebc3308c7d8c.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.951602849618236
Encrypted:	false
SSDEEP:	12:YZFgq1rcHGJD0TaIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:Y51wmh0TaSlCOlZGV1AQIWZcy6ZXvx
MD5:	E322832C30F5099FF497545B3131A71C
SHA1:	E2335754CE8CD834E1A2F650302243D95D3534ED
SHA-256:	B4994253F9CE57CE44FFBEB308399082D3C14DA0B31DD60290F9EB749B714DA5
SHA-512:	F2D68B38AF4A77F6F00685D5AA769E4C57E136A1D2CA4E277ACCEADE9D1B5D7C6FD2E490D2604F3FF5F377EC8EBBAAB524C363D7DD736EDB5B0434E29637FEB4
Malicious:	false
Preview:	{"type":"health","id":"6baa7e07-47c4-41e9-9d28-ebc3308c7d8c","creationDate":"2024-12-13T10:16:33.302Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.340110839005781
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRKoWLXnIrPw/pnxQwRcWT5sKmgbv73eHVpjO+aamhujJwO2c0TiV5:GUpOxkW1nRcoegD73erjxa4Jwc3zBtT
MD5:	9F03A44080D5CA41859046CD47A6CBBA
SHA1:	605E80A7C40A1C97D3F47CE0DBEE6FA8B9C80DCC
SHA-256:	436AAFB86F46D5613FBD04650C185A6AAAEBF88B29DA1241CA2D0068AE5A7A00
SHA-512:	42088D24806C856D30B014C4A7C63772788E2A727942A1E685B8E9A0E339C9BD4DF48704A43CD23EACF0EF441C3E0D062BD8ABB5CD5A210F6C85DB2116B46FC6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{0b64e77d-7bb4-45d5-a6c7-3ef56c8954c3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734084966009,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..iUpdate...10,"startTim..P32022...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...35189,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.340110839005781
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRKoWLXnIrPw/pnxQwRcWT5sKmgbv73eHVpjO+aamhujJwO2c0TiV5:GUpOxkW1nRcoegD73erjxa4Jwc3zBtT
MD5:	9F03A44080D5CA41859046CD47A6CBBA
SHA1:	605E80A7C40A1C97D3F47CE0DBEE6FA8B9C80DCC
SHA-256:	436AAFB86F46D5613FBD04650C185A6AAAEBF88B29DA1241CA2D0068AE5A7A00
SHA-512:	42088D24806C856D30B014C4A7C63772788E2A727942A1E685B8E9A0E339C9BD4DF48704A43CD23EACF0EF441C3E0D062BD8ABB5CD5A210F6C85DB2116B46FC6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{0b64e77d-7bb4-45d5-a6c7-3ef56c8954c3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734084966009,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..iUpdate...10,"startTim..P32022...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...35189,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.340110839005781
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRKoWLXnIrPw/pnxQwRcWT5sKmgbv73eHVpjO+aamhujJwO2c0TiV5:GUpOxkW1nRcoegD73erjxa4Jwc3zBtT
MD5:	9F03A44080D5CA41859046CD47A6CBBA
SHA1:	605E80A7C40A1C97D3F47CE0DBEE6FA8B9C80DCC
SHA-256:	436AAFB86F46D5613FBD04650C185A6AAAEBF88B29DA1241CA2D0068AE5A7A00
SHA-512:	42088D24806C856D30B014C4A7C63772788E2A727942A1E685B8E9A0E339C9BD4DF48704A43CD23EACF0EF441C3E0D062BD8ABB5CD5A210F6C85DB2116B46FC6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{0b64e77d-7bb4-45d5-a6c7-3ef56c8954c3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1734084966009,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..iUpdate...10,"startTim..P32022...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...35189,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029812527899663
Encrypted:	false
SSDEEP:	96:ycCMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:VTEr5NX0z3DhRe
MD5:	F50B0CEF4C5D0422BD5D9D47CC636C5C
SHA1:	7C83FC03B17A4CA663D7DCC5BF9F8D7629D34ADC
SHA-256:	5743A3E4EE86EC1169753E510509F9EC2349BC74DDA7D6989B445A8773874681
SHA-512:	44C9263E95A5EC766259351C9D981C4B8C9280A7233CF74FE8362B638F7FA8F226003337408764A57265FAA75958D8C2E1ACC96B9E6D5EF6B08E2A262ECA3168
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T10:15:48.643Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029812527899663
Encrypted:	false
SSDEEP:	96:ycCMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:VTEr5NX0z3DhRe
MD5:	F50B0CEF4C5D0422BD5D9D47CC636C5C
SHA1:	7C83FC03B17A4CA663D7DCC5BF9F8D7629D34ADC
SHA-256:	5743A3E4EE86EC1169753E510509F9EC2349BC74DDA7D6989B445A8773874681
SHA-512:	44C9263E95A5EC766259351C9D981C4B8C9280A7233CF74FE8362B638F7FA8F226003337408764A57265FAA75958D8C2E1ACC96B9E6D5EF6B08E2A262ECA3168
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T10:15:48.643Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.701800982201782
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	969'728 bytes
MD5:	a42c2512c7c450e1f1be312fbd38ac1b
SHA1:	830655bc2ae30b03b1b6f31f1f8229c15a9c712b
SHA256:	f4eecef17c99bb3d44793ec672f3c26c4cc2972578a95d7c1afc4945aa43b0f2
SHA512:	c464eb64bcd3813f8db5c1a0edf696e39674279b5270cb2f8a6100df5dce6ae3f25df6833f2bc8ca7ff4b926427d2f190af414c5e06b9f1bda846d0d882de71a
SSDEEP:	24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8ah6m:dTvC/MTQYxsWR7ah6
TLSH:	38259E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BF085 [Fri Dec 13 08:29:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5715008A23h
jmp 00007F571500832Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F571500850Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F57150084DAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F571500B0CDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F571500B118h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F571500B101h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16088	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16088	0x16200	d5c297ea466026a8d617539d3be2eccc	False	0.6985897775423728	data	7.165799427962069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xd20c	data			1.0004835230231348
RT_GROUP_ICON	0xe9b08	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9b80	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9b94	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9ba8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9bbc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe9c98	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 10:03:57.233257055 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:03:57.233299017 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:03:57.234045029 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:03:57.242079973 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:03:57.242100000 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:03:57.732415915 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:57.732481956 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:57.733658075 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:57.734114885 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:57.734132051 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:57.734410048 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:57.734447956 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:57.735331059 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:57.736784935 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:57.736802101 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:57.740573883 CET	49713	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:57.861485004 CET	80	49713	34.107.221.82	192.168.2.5
Dec 13, 2024 10:03:57.861644030 CET	49713	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:57.861798048 CET	49713	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:57.982500076 CET	80	49713	34.107.221.82	192.168.2.5
Dec 13, 2024 10:03:58.438307047 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:58.438366890 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:58.453340054 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:58.466835976 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:03:58.470314980 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:58.470330954 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:58.474394083 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:03:58.548017025 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:03:58.548017025 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:03:58.548046112 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:03:58.548320055 CET	443	49710	35.190.72.216	192.168.2.5
Dec 13, 2024 10:03:58.548650026 CET	49710	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:03:58.679625988 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:58.679680109 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:03:58.680262089 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:58.680382967 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:58.680392981 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:03:58.686768055 CET	49717	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:58.686791897 CET	443	49717	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:58.686923981 CET	49717	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:58.688337088 CET	49717	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:58.688344955 CET	443	49717	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:58.949692011 CET	80	49713	34.107.221.82	192.168.2.5
Dec 13, 2024 10:03:58.994781017 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:03:58.994821072 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:03:58.995117903 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:03:58.995353937 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:03:58.995368004 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:03:58.999852896 CET	49713	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:59.184617996 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:59.304537058 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:03:59.304610968 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:59.304764986 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:59.424396992 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:03:59.431967020 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.432090044 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.432991982 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.433193922 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.435520887 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.436233997 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.437031984 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.437038898 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.437103033 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.437195063 CET	443	49712	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.437319040 CET	49712	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.437333107 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.437362909 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.442527056 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.442544937 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.442605972 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.442672014 CET	443	49711	142.250.181.110	192.168.2.5
Dec 13, 2024 10:03:59.454483986 CET	49711	443	192.168.2.5	142.250.181.110
Dec 13, 2024 10:03:59.692723989 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.692760944 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.692825079 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.697280884 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.697300911 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.697428942 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.697513103 CET	443	49715	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.697809935 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.697853088 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.697871923 CET	49715	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.698143005 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.699497938 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.699506998 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.883327961 CET	49713	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:03:59.896075964 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:03:59.896150112 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:59.899349928 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:59.899363995 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:03:59.899797916 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:03:59.901812077 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:59.901886940 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:59.901971102 CET	443	49716	35.244.181.201	192.168.2.5
Dec 13, 2024 10:03:59.902189016 CET	49716	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:03:59.910779953 CET	443	49717	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.911535978 CET	49717	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.916191101 CET	49717	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.916208029 CET	443	49717	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.916275024 CET	49717	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.916342974 CET	443	49717	34.117.188.166	192.168.2.5
Dec 13, 2024 10:03:59.921515942 CET	49717	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:03:59.938333988 CET	49722	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:03:59.938374996 CET	443	49722	34.107.243.93	192.168.2.5
Dec 13, 2024 10:03:59.938477993 CET	49722	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:03:59.939899921 CET	49722	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:03:59.939915895 CET	443	49722	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:00.003189087 CET	80	49713	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:00.011332989 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:00.011394024 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:00.018237114 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:00.019572973 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:00.019593954 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:00.200468063 CET	80	49713	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:00.200897932 CET	49713	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:00.215420008 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:04:00.215491056 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:04:00.218373060 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:04:00.218378067 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:04:00.218719959 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:04:00.220890045 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:04:00.220890045 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:04:00.221030951 CET	443	49718	34.160.144.191	192.168.2.5
Dec 13, 2024 10:04:00.221259117 CET	49718	443	192.168.2.5	34.160.144.191
Dec 13, 2024 10:04:00.321338892 CET	80	49713	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:00.321439028 CET	49713	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:00.396920919 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:00.409322977 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:00.529700994 CET	80	49719	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:00.530467033 CET	49719	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:00.925117016 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:00.925911903 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:00.954933882 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:00.954988956 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:00.955173016 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:00.955518007 CET	443	49721	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:00.966007948 CET	49721	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:01.164011002 CET	443	49722	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:01.164098978 CET	49722	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:01.168840885 CET	49722	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:01.168873072 CET	443	49722	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:01.168922901 CET	49722	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:01.169109106 CET	443	49722	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:01.169169903 CET	49722	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:01.246341944 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:01.246376991 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:01.246459007 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:01.251508951 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:01.251522064 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:01.251625061 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:01.251823902 CET	443	49723	34.117.188.166	192.168.2.5
Dec 13, 2024 10:04:01.251895905 CET	49723	443	192.168.2.5	34.117.188.166
Dec 13, 2024 10:04:02.585141897 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:02.596363068 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:02.704988956 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:02.705106974 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:02.705286980 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:02.719379902 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:02.719453096 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:02.719590902 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:02.827384949 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:02.841181993 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:03.072319031 CET	49728	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:03.072381973 CET	443	49728	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:03.073427916 CET	49729	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:03.073456049 CET	443	49729	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:03.075515985 CET	49728	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:03.075601101 CET	49729	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:03.077074051 CET	49728	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:03.077095032 CET	443	49728	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:03.078596115 CET	49729	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:03.078627110 CET	443	49729	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:03.792403936 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:03.812010050 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:03.817275047 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:03.854738951 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:03.937181950 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:04.131952047 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:04.168800116 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:04.168838978 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:04.169050932 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:04.169182062 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:04.169194937 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:04.185426950 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:04.297352076 CET	443	49728	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.297446012 CET	49728	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.304935932 CET	443	49729	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:04.305002928 CET	49729	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:04.337335110 CET	49728	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.337383986 CET	443	49728	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.337443113 CET	49728	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.338068962 CET	443	49728	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.339365005 CET	49729	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:04.339396954 CET	443	49729	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:04.339426994 CET	49729	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:04.340102911 CET	443	49729	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:04.340831995 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:04.342513084 CET	49728	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.342515945 CET	49729	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:04.349533081 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.349560022 CET	443	49731	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.349666119 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.349806070 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.349841118 CET	443	49732	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.349877119 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.349889040 CET	443	49731	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.350147009 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.350207090 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.350215912 CET	443	49732	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.460824013 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:04.483128071 CET	49733	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.483172894 CET	443	49733	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.483248949 CET	49733	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.484636068 CET	49733	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:04.484657049 CET	443	49733	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:04.657247066 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:04.660274029 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:04.703932047 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:04.780693054 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:04.975341082 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:05.020438910 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:05.381906033 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:05.382044077 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:05.564806938 CET	443	49731	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.564903021 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.584568024 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:05.584599972 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:05.584986925 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:05.587706089 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.587754965 CET	443	49731	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.588123083 CET	443	49731	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.591176033 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:05.591444969 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:05.591511965 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:05.591521025 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:05.591808081 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.591866970 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.591965914 CET	443	49731	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.592050076 CET	49731	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.623393059 CET	443	49732	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.625060081 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.628417969 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.628427982 CET	443	49732	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.628791094 CET	443	49732	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.630692005 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.630775928 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.630968094 CET	49732	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.700256109 CET	443	49733	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.707256079 CET	49733	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.711508036 CET	49733	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.711525917 CET	443	49733	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.711592913 CET	49733	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.711718082 CET	443	49733	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:05.722618103 CET	49733	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:05.799375057 CET	443	49730	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:05.807329893 CET	49730	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:10.007474899 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:10.144992113 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:10.199337959 CET	49739	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:10.199373960 CET	443	49739	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:10.202354908 CET	49739	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:10.203638077 CET	49739	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:10.203654051 CET	443	49739	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:10.210464001 CET	49740	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:10.210549116 CET	443	49740	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:10.214941978 CET	49740	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:10.216315031 CET	49740	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:10.216347933 CET	443	49740	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:10.339345932 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:10.380290985 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:10.511648893 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:10.631355047 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:10.826251030 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:10.881798029 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:11.427155018 CET	443	49739	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:11.427229881 CET	49739	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:11.432461977 CET	443	49740	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:11.433413029 CET	49740	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:12.234498024 CET	49739	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:12.234520912 CET	443	49739	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:12.234714985 CET	49739	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:12.234760046 CET	443	49739	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:12.234937906 CET	49740	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:12.235023975 CET	443	49740	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:12.235066891 CET	49740	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:12.235189915 CET	49739	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:12.235239029 CET	443	49740	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:12.235585928 CET	49740	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:12.612591028 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:12.732541084 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:12.927522898 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:12.987900972 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:13.297003031 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:13.417016983 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:13.611882925 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:13.652189970 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:22.768573999 CET	49772	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:22.768651009 CET	443	49772	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:22.768908024 CET	49772	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:22.770148039 CET	49772	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:22.770184040 CET	443	49772	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:22.927570105 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:23.047404051 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:23.629676104 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:23.749500990 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:23.988815069 CET	443	49772	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:23.988930941 CET	49772	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:23.992598057 CET	49772	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:23.992631912 CET	443	49772	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:23.992705107 CET	49772	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:23.992891073 CET	443	49772	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:23.993335009 CET	49772	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:23.995461941 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:24.115371943 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:24.310431957 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:24.313493013 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:24.362835884 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:24.433690071 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:24.628242970 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:24.679326057 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:26.146872044 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:26.146900892 CET	443	49783	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:26.147468090 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:26.147630930 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:26.147644043 CET	443	49783	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:26.175978899 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:26.176017046 CET	443	49784	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:26.180123091 CET	49785	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:04:26.180143118 CET	443	49785	35.190.72.216	192.168.2.5
Dec 13, 2024 10:04:26.183760881 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:26.183760881 CET	49785	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:04:26.184092045 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:26.184106112 CET	443	49784	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:26.186237097 CET	49785	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:04:26.186250925 CET	443	49785	35.190.72.216	192.168.2.5
Dec 13, 2024 10:04:26.306672096 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:26.306720972 CET	443	49786	151.101.65.91	192.168.2.5
Dec 13, 2024 10:04:26.307176113 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:26.307272911 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:26.307277918 CET	443	49786	151.101.65.91	192.168.2.5
Dec 13, 2024 10:04:26.469360113 CET	49787	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:04:26.469464064 CET	443	49787	35.201.103.21	192.168.2.5
Dec 13, 2024 10:04:26.469639063 CET	49787	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:04:26.470825911 CET	49787	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:04:26.470861912 CET	443	49787	35.201.103.21	192.168.2.5
Dec 13, 2024 10:04:27.362082958 CET	443	49783	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.363713980 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.367934942 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.367942095 CET	443	49783	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.368263960 CET	443	49783	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.370652914 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.370723009 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.370836973 CET	443	49783	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.371505976 CET	49783	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.379671097 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:27.402636051 CET	443	49784	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:27.402673006 CET	443	49784	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:27.402717113 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.404000998 CET	443	49785	35.190.72.216	192.168.2.5
Dec 13, 2024 10:04:27.407421112 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.407440901 CET	443	49784	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:27.408236980 CET	443	49784	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:27.409542084 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.409650087 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.409909964 CET	443	49784	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:27.409986973 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.410003901 CET	49785	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:04:27.411942959 CET	49784	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.415471077 CET	49785	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:04:27.415482044 CET	443	49785	35.190.72.216	192.168.2.5
Dec 13, 2024 10:04:27.415533066 CET	49785	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:04:27.416071892 CET	443	49785	35.190.72.216	192.168.2.5
Dec 13, 2024 10:04:27.416310072 CET	49785	443	192.168.2.5	35.190.72.216
Dec 13, 2024 10:04:27.561958075 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:27.576520920 CET	443	49786	151.101.65.91	192.168.2.5
Dec 13, 2024 10:04:27.576666117 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:27.580519915 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:27.580553055 CET	443	49786	151.101.65.91	192.168.2.5
Dec 13, 2024 10:04:27.580976009 CET	443	49786	151.101.65.91	192.168.2.5
Dec 13, 2024 10:04:27.582833052 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:27.582926989 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:27.583030939 CET	443	49786	151.101.65.91	192.168.2.5
Dec 13, 2024 10:04:27.587847948 CET	49786	443	192.168.2.5	151.101.65.91
Dec 13, 2024 10:04:27.592596054 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.592698097 CET	443	49788	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.592811108 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.592955112 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.592972994 CET	443	49788	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.594995022 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.595073938 CET	443	49789	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.595328093 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.595448017 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.595472097 CET	443	49789	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.597249985 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.597289085 CET	443	49790	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.597390890 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.597465038 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:27.597482920 CET	443	49790	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:27.802135944 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:27.805785894 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:27.816776991 CET	443	49787	35.201.103.21	192.168.2.5
Dec 13, 2024 10:04:27.816880941 CET	49787	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:04:27.821491957 CET	49787	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:04:27.821508884 CET	443	49787	35.201.103.21	192.168.2.5
Dec 13, 2024 10:04:27.821614027 CET	49787	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:04:27.821768045 CET	443	49787	35.201.103.21	192.168.2.5
Dec 13, 2024 10:04:27.822875977 CET	49787	443	192.168.2.5	35.201.103.21
Dec 13, 2024 10:04:27.824568033 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:27.835959911 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.836020947 CET	443	49791	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:27.836160898 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.836332083 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:27.836352110 CET	443	49791	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:27.925607920 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:27.944462061 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:28.120251894 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:28.138704062 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:28.142081022 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:28.189583063 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:28.262027979 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:28.456923008 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:28.506109953 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:28.900533915 CET	443	49790	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.900630951 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.900759935 CET	443	49789	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.900840998 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.901128054 CET	443	49788	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.901231050 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.903049946 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.903064966 CET	443	49790	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.903492928 CET	443	49790	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.906610012 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.906618118 CET	443	49788	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.907015085 CET	443	49788	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.910028934 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.910043001 CET	443	49789	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.910449028 CET	443	49789	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.914700985 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.914962053 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.915138960 CET	443	49790	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.915299892 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.915358067 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.915582895 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.915613890 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.915777922 CET	443	49788	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.915832043 CET	49790	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.916124105 CET	443	49789	35.244.181.201	192.168.2.5
Dec 13, 2024 10:04:28.918076992 CET	49788	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.918092012 CET	49789	443	192.168.2.5	35.244.181.201
Dec 13, 2024 10:04:28.918513060 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:29.038324118 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:29.050909042 CET	443	49791	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:29.051131010 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:29.055172920 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:29.055207014 CET	443	49791	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:29.055593967 CET	443	49791	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:29.057866096 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:29.057955027 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:29.058053017 CET	443	49791	34.149.100.209	192.168.2.5
Dec 13, 2024 10:04:29.058252096 CET	49791	443	192.168.2.5	34.149.100.209
Dec 13, 2024 10:04:29.232990980 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:29.236726046 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:29.277302980 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:29.356518030 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:29.551311016 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:29.593816996 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:32.522780895 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:32.642508030 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:32.836992979 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:32.843597889 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:32.884573936 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:32.963521957 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:33.158354044 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:33.207606077 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:42.850797892 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:42.970586061 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:43.167422056 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:43.287369013 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:44.143569946 CET	49834	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:44.143645048 CET	443	49834	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:44.144066095 CET	49834	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:44.145343065 CET	49834	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:44.145378113 CET	443	49834	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:45.368217945 CET	443	49834	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:45.368607998 CET	49834	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:45.372606993 CET	49834	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:45.372637987 CET	443	49834	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:45.372735023 CET	49834	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:45.372931004 CET	443	49834	34.107.243.93	192.168.2.5
Dec 13, 2024 10:04:45.374023914 CET	49834	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:04:45.376169920 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:45.495959997 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:45.690383911 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:45.693265915 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:45.742836952 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:45.813189030 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:46.014736891 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:46.059386969 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:55.702636003 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:55.823760033 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:56.019140959 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:56.034547091 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:56.034603119 CET	443	49861	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:56.034782887 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:56.034826040 CET	443	49862	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:56.035275936 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:56.035409927 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:56.035410881 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:56.035422087 CET	443	49861	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:56.035578966 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:56.035597086 CET	443	49862	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:56.138967991 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:57.252897024 CET	443	49862	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.253914118 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.258408070 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.258438110 CET	443	49862	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.258838892 CET	443	49862	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.258956909 CET	443	49861	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.259283066 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.262645960 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.262655973 CET	443	49861	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.263060093 CET	443	49861	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.265621901 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.265759945 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.265801907 CET	443	49862	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.266021013 CET	49862	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.267225981 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.267292023 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.267432928 CET	443	49861	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.267503023 CET	49861	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.274918079 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:57.287045002 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.287086010 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.287136078 CET	443	49868	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.287161112 CET	443	49869	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.287554026 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.287653923 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.287727118 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.287746906 CET	443	49868	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.287864923 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.287882090 CET	443	49869	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.309684992 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.309772015 CET	443	49870	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.309983015 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.310086012 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:57.310106993 CET	443	49870	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:57.394845009 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:57.589384079 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:57.636666059 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:57.639451027 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:57.759440899 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:57.958090067 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:58.009543896 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:58.560611963 CET	443	49869	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.560691118 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.561427116 CET	443	49870	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.561700106 CET	443	49868	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.563294888 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.563333035 CET	443	49869	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.563733101 CET	443	49869	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.564470053 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.564471006 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.566638947 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.566694975 CET	443	49868	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.567199945 CET	443	49868	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.568509102 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.568587065 CET	443	49870	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.568957090 CET	443	49870	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.570744038 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.570822954 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.570945024 CET	443	49869	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.574177980 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.574177980 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.574851036 CET	443	49868	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.575079918 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.575081110 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.575469017 CET	443	49870	34.120.208.123	192.168.2.5
Dec 13, 2024 10:04:58.576456070 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.576467037 CET	49869	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.576499939 CET	49870	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.576499939 CET	49868	443	192.168.2.5	34.120.208.123
Dec 13, 2024 10:04:58.577936888 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:58.697722912 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:58.892605066 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:58.895288944 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:58.943213940 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:04:59.015491009 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:59.210767984 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:04:59.259818077 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:08.910007954 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:09.030038118 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:09.226417065 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:09.346523046 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:19.041994095 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:19.162472010 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:19.358560085 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:19.478880882 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:25.517838001 CET	49937	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:05:25.517884016 CET	443	49937	34.107.243.93	192.168.2.5
Dec 13, 2024 10:05:25.518223047 CET	49937	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:05:25.519695997 CET	49937	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:05:25.519711018 CET	443	49937	34.107.243.93	192.168.2.5
Dec 13, 2024 10:05:26.733547926 CET	443	49937	34.107.243.93	192.168.2.5
Dec 13, 2024 10:05:26.733653069 CET	49937	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:05:26.736912012 CET	49937	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:05:26.736927032 CET	443	49937	34.107.243.93	192.168.2.5
Dec 13, 2024 10:05:26.736995935 CET	49937	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:05:26.737123013 CET	443	49937	34.107.243.93	192.168.2.5
Dec 13, 2024 10:05:26.737185955 CET	49937	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:05:26.739270926 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:26.859404087 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:27.062012911 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:27.067435026 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:27.112025976 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:27.187534094 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:27.382179976 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:27.428498030 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:37.070581913 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:37.190817118 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:37.393402100 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:37.513335943 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:47.200428963 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:47.320878029 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:47.523407936 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:47.643343925 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:57.329427004 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:57.449655056 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:05:57.652602911 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:05:57.772825003 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:07.457228899 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:07.577610970 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:07.780065060 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:07.900295019 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:17.586391926 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:17.706790924 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:17.909260988 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:18.029436111 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:27.716226101 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:27.836194038 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:28.038757086 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:28.158729076 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:37.843830109 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:37.964044094 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:38.166714907 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:38.286740065 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:47.034858942 CET	50027	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:06:47.034950972 CET	443	50027	34.107.243.93	192.168.2.5
Dec 13, 2024 10:06:47.035056114 CET	50027	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:06:47.036631107 CET	50027	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:06:47.036676884 CET	443	50027	34.107.243.93	192.168.2.5
Dec 13, 2024 10:06:47.972167969 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:48.092575073 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:48.248017073 CET	443	50027	34.107.243.93	192.168.2.5
Dec 13, 2024 10:06:48.248182058 CET	50027	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:06:48.252616882 CET	50027	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:06:48.252648115 CET	443	50027	34.107.243.93	192.168.2.5
Dec 13, 2024 10:06:48.252727032 CET	50027	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:06:48.252825975 CET	443	50027	34.107.243.93	192.168.2.5
Dec 13, 2024 10:06:48.253887892 CET	50027	443	192.168.2.5	34.107.243.93
Dec 13, 2024 10:06:48.255250931 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:48.295178890 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:48.375279903 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:48.415141106 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:48.570682049 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:48.574160099 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:48.611742020 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:48.694108963 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:48.888895035 CET	80	49725	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:48.943295002 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:58.580630064 CET	49726	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:58.700819969 CET	80	49726	34.107.221.82	192.168.2.5
Dec 13, 2024 10:06:58.896980047 CET	49725	80	192.168.2.5	34.107.221.82
Dec 13, 2024 10:06:59.017184973 CET	80	49725	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 10:03:57.233350992 CET	62313	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.371426105 CET	53	62313	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:57.396400928 CET	50344	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.594379902 CET	59492	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.601938963 CET	52630	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.731532097 CET	53	59492	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:57.732590914 CET	61794	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.737008095 CET	53	50344	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:57.740571022 CET	62752	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.870879889 CET	53	61794	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:57.871542931 CET	50658	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.878947020 CET	53	62752	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:57.879674911 CET	62897	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:57.899704933 CET	64862	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.009480953 CET	53	50658	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.016591072 CET	53	62897	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.038264990 CET	53	64862	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.470669985 CET	53275	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.548115015 CET	60252	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.609250069 CET	53	53275	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.620258093 CET	58491	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.680202961 CET	62006	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.686088085 CET	53	60252	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.688940048 CET	64125	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.758558035 CET	53	58491	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.827193022 CET	53	64125	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.827987909 CET	54506	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.852339983 CET	62164	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.904099941 CET	53	62006	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.904814959 CET	57075	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.965261936 CET	53	54506	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:58.975852966 CET	64729	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:58.993386030 CET	53	62164	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.021893024 CET	53817	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.042561054 CET	53	57075	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.046660900 CET	55702	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.053091049 CET	64289	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.113826990 CET	53	64729	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.160269976 CET	63341	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.163953066 CET	53	53817	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.195552111 CET	53	64289	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.198923111 CET	62959	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.336324930 CET	53	62959	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.511914015 CET	50179	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.649420023 CET	53	50179	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.650737047 CET	65527	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.788640022 CET	53	65527	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.798783064 CET	57212	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:03:59.812086105 CET	53	59377	1.1.1.1	192.168.2.5
Dec 13, 2024 10:03:59.936913967 CET	53	57212	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:02.580279112 CET	56713	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:02.719393015 CET	53	56713	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:02.720283031 CET	59738	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:02.857458115 CET	53	59738	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:02.858222008 CET	58422	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:02.924402952 CET	58363	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:02.997417927 CET	53	58422	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:03.063420057 CET	53	58363	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:03.072814941 CET	58125	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:03.073503017 CET	54760	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:03.213701010 CET	53	58125	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:03.215383053 CET	53	54760	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:03.245996952 CET	59265	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:03.246376991 CET	61724	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:03.384479046 CET	53	59265	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:03.384501934 CET	53	61724	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:04.168956041 CET	57521	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:04.314120054 CET	53	57521	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:09.717573881 CET	58425	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:09.717781067 CET	57806	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:09.718003035 CET	55451	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:09.855545044 CET	53	57806	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:09.855591059 CET	53	58425	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:09.857563972 CET	53	55451	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.006226063 CET	57210	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.006304026 CET	64162	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.006509066 CET	51848	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.007411957 CET	53298	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.162561893 CET	53	57210	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.163202047 CET	60031	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.163238049 CET	53	64162	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.163780928 CET	52931	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.164310932 CET	53	51848	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.164666891 CET	59300	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.300333023 CET	53	60031	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.302762032 CET	53	52931	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.316801071 CET	59683	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.316975117 CET	63805	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.394525051 CET	53	59300	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.454277039 CET	53	63805	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.455070972 CET	53	59683	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.455096960 CET	50883	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.592799902 CET	53	50883	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:10.593425035 CET	54942	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:10.732381105 CET	53	54942	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:11.306583881 CET	60076	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:11.306901932 CET	59405	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:11.312381029 CET	56363	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:11.313808918 CET	50014	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:11.444449902 CET	53	60076	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:11.450735092 CET	53	50014	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:11.522051096 CET	53	59405	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:11.522680044 CET	61854	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:11.733469963 CET	53	61854	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:12.146728992 CET	53324	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:12.612855911 CET	52979	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:12.752865076 CET	51250	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:13.296842098 CET	51283	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:13.840466022 CET	49770	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:22.629508972 CET	58736	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:22.767721891 CET	53	58736	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:22.768748045 CET	62651	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:22.910427094 CET	53	62651	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:23.995537043 CET	49391	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.145999908 CET	58221	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.167953014 CET	64310	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.180659056 CET	51919	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.287026882 CET	53	58221	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:26.305804968 CET	53	64310	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:26.307149887 CET	51706	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.444303989 CET	53	51706	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:26.445024014 CET	62632	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.468301058 CET	53	51919	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:26.470204115 CET	51315	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.583323002 CET	53	62632	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:26.679191113 CET	53	51315	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:26.680288076 CET	62248	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:26.822479963 CET	53	62248	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:44.003361940 CET	49781	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:44.142677069 CET	53	49781	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:44.143815994 CET	58475	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:44.281373978 CET	53	58475	1.1.1.1	192.168.2.5
Dec 13, 2024 10:04:56.035644054 CET	59114	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:04:56.172889948 CET	53	59114	1.1.1.1	192.168.2.5
Dec 13, 2024 10:05:25.378514051 CET	54102	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:05:25.516652107 CET	53	54102	1.1.1.1	192.168.2.5
Dec 13, 2024 10:05:25.517744064 CET	53132	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:05:25.656306982 CET	53	53132	1.1.1.1	192.168.2.5
Dec 13, 2024 10:05:26.739511013 CET	63457	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:06:46.756540060 CET	59868	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:06:46.893896103 CET	53	59868	1.1.1.1	192.168.2.5
Dec 13, 2024 10:06:46.895159006 CET	64484	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:06:47.033699989 CET	53	64484	1.1.1.1	192.168.2.5
Dec 13, 2024 10:06:47.034437895 CET	60747	53	192.168.2.5	1.1.1.1
Dec 13, 2024 10:06:47.172772884 CET	53	60747	1.1.1.1	192.168.2.5
Dec 13, 2024 10:06:48.255337000 CET	52611	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 10:03:57.233350992 CET	192.168.2.5	1.1.1.1	0x9c82	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.396400928 CET	192.168.2.5	1.1.1.1	0x3ff4	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:03:57.594379902 CET	192.168.2.5	1.1.1.1	0x243c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.601938963 CET	192.168.2.5	1.1.1.1	0xf291	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.732590914 CET	192.168.2.5	1.1.1.1	0xab82	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.740571022 CET	192.168.2.5	1.1.1.1	0xd188	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.871542931 CET	192.168.2.5	1.1.1.1	0xda99	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 10:03:57.879674911 CET	192.168.2.5	1.1.1.1	0xd384	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:03:57.899704933 CET	192.168.2.5	1.1.1.1	0x86ac	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.470669985 CET	192.168.2.5	1.1.1.1	0xb8f8	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.548115015 CET	192.168.2.5	1.1.1.1	0xdd7	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.620258093 CET	192.168.2.5	1.1.1.1	0x5c46	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:03:58.680202961 CET	192.168.2.5	1.1.1.1	0x246d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.688940048 CET	192.168.2.5	1.1.1.1	0x70a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.827987909 CET	192.168.2.5	1.1.1.1	0x588c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:03:58.852339983 CET	192.168.2.5	1.1.1.1	0xd83f	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.904814959 CET	192.168.2.5	1.1.1.1	0xd03c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:03:58.975852966 CET	192.168.2.5	1.1.1.1	0x7fad	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.021893024 CET	192.168.2.5	1.1.1.1	0x3d43	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.046660900 CET	192.168.2.5	1.1.1.1	0x17f2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.053091049 CET	192.168.2.5	1.1.1.1	0x4e85	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.160269976 CET	192.168.2.5	1.1.1.1	0xa0f1	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.198923111 CET	192.168.2.5	1.1.1.1	0x4116	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:03:59.511914015 CET	192.168.2.5	1.1.1.1	0x9069	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.650737047 CET	192.168.2.5	1.1.1.1	0x185f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.798783064 CET	192.168.2.5	1.1.1.1	0x700e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:02.580279112 CET	192.168.2.5	1.1.1.1	0x82b1	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:02.720283031 CET	192.168.2.5	1.1.1.1	0xdac5	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:02.858222008 CET	192.168.2.5	1.1.1.1	0xc725	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:04:02.924402952 CET	192.168.2.5	1.1.1.1	0x449e	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:03.072814941 CET	192.168.2.5	1.1.1.1	0xf905	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:03.073503017 CET	192.168.2.5	1.1.1.1	0x3228	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:03.245996952 CET	192.168.2.5	1.1.1.1	0x5625	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:03.246376991 CET	192.168.2.5	1.1.1.1	0x4432	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:04:04.168956041 CET	192.168.2.5	1.1.1.1	0x78e2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:04:09.717573881 CET	192.168.2.5	1.1.1.1	0xc18	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.717781067 CET	192.168.2.5	1.1.1.1	0xc09d	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.718003035 CET	192.168.2.5	1.1.1.1	0xfff1	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.006226063 CET	192.168.2.5	1.1.1.1	0x50bd	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.006304026 CET	192.168.2.5	1.1.1.1	0xdf33	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.006509066 CET	192.168.2.5	1.1.1.1	0x8a34	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.007411957 CET	192.168.2.5	1.1.1.1	0x8e28	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.163202047 CET	192.168.2.5	1.1.1.1	0x3393	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:10.163780928 CET	192.168.2.5	1.1.1.1	0xb66e	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:10.164666891 CET	192.168.2.5	1.1.1.1	0x6560	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 10:04:10.316801071 CET	192.168.2.5	1.1.1.1	0x9630	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.316975117 CET	192.168.2.5	1.1.1.1	0x35ca	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.455096960 CET	192.168.2.5	1.1.1.1	0xe564	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.593425035 CET	192.168.2.5	1.1.1.1	0xabab	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:11.306583881 CET	192.168.2.5	1.1.1.1	0xf57e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:11.306901932 CET	192.168.2.5	1.1.1.1	0x6a45	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:11.312381029 CET	192.168.2.5	1.1.1.1	0x75fa	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:11.313808918 CET	192.168.2.5	1.1.1.1	0xf403	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:11.522680044 CET	192.168.2.5	1.1.1.1	0xc1fe	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 10:04:12.146728992 CET	192.168.2.5	1.1.1.1	0xb1a8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:12.612855911 CET	192.168.2.5	1.1.1.1	0x62d5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:12.752865076 CET	192.168.2.5	1.1.1.1	0x3f25	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:13.296842098 CET	192.168.2.5	1.1.1.1	0x52e0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:13.840466022 CET	192.168.2.5	1.1.1.1	0xbb07	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:22.629508972 CET	192.168.2.5	1.1.1.1	0x6070	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:22.768748045 CET	192.168.2.5	1.1.1.1	0x74b9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:23.995537043 CET	192.168.2.5	1.1.1.1	0x4a4b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.145999908 CET	192.168.2.5	1.1.1.1	0xf598	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 10:04:26.167953014 CET	192.168.2.5	1.1.1.1	0x23e1	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.180659056 CET	192.168.2.5	1.1.1.1	0x76bf	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.307149887 CET	192.168.2.5	1.1.1.1	0xb3a6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.445024014 CET	192.168.2.5	1.1.1.1	0x23b8	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 10:04:26.470204115 CET	192.168.2.5	1.1.1.1	0xce9b	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.680288076 CET	192.168.2.5	1.1.1.1	0x45bd	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:44.003361940 CET	192.168.2.5	1.1.1.1	0xfbd8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:44.143815994 CET	192.168.2.5	1.1.1.1	0x885a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:04:56.035644054 CET	192.168.2.5	1.1.1.1	0x16ec	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:05:25.378514051 CET	192.168.2.5	1.1.1.1	0xbf63	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:05:25.517744064 CET	192.168.2.5	1.1.1.1	0xa210	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:05:26.739511013 CET	192.168.2.5	1.1.1.1	0x598f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:06:46.756540060 CET	192.168.2.5	1.1.1.1	0xc5f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:06:46.895159006 CET	192.168.2.5	1.1.1.1	0x152	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:06:47.034437895 CET	192.168.2.5	1.1.1.1	0x99e1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 10:06:48.255337000 CET	192.168.2.5	1.1.1.1	0x8f6a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 10:03:57.230901957 CET	1.1.1.1	192.168.2.5	0xeb23	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.371426105 CET	1.1.1.1	192.168.2.5	0x9c82	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.731532097 CET	1.1.1.1	192.168.2.5	0x243c	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.739711046 CET	1.1.1.1	192.168.2.5	0xf291	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:03:57.739711046 CET	1.1.1.1	192.168.2.5	0xf291	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.870879889 CET	1.1.1.1	192.168.2.5	0xab82	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:57.878947020 CET	1.1.1.1	192.168.2.5	0xd188	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.009480953 CET	1.1.1.1	192.168.2.5	0xda99	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 10:03:58.016591072 CET	1.1.1.1	192.168.2.5	0xd384	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 10:03:58.038264990 CET	1.1.1.1	192.168.2.5	0x86ac	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.609250069 CET	1.1.1.1	192.168.2.5	0xb8f8	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.678755045 CET	1.1.1.1	192.168.2.5	0x7c0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:03:58.678755045 CET	1.1.1.1	192.168.2.5	0x7c0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.686088085 CET	1.1.1.1	192.168.2.5	0xdd7	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:03:58.686088085 CET	1.1.1.1	192.168.2.5	0xdd7	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.827193022 CET	1.1.1.1	192.168.2.5	0x70a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.904099941 CET	1.1.1.1	192.168.2.5	0x246d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:58.993386030 CET	1.1.1.1	192.168.2.5	0xd83f	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:03:58.993386030 CET	1.1.1.1	192.168.2.5	0xd83f	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:03:58.993386030 CET	1.1.1.1	192.168.2.5	0xd83f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.113826990 CET	1.1.1.1	192.168.2.5	0x7fad	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.163953066 CET	1.1.1.1	192.168.2.5	0x3d43	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.163953066 CET	1.1.1.1	192.168.2.5	0x3d43	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.183825016 CET	1.1.1.1	192.168.2.5	0x17f2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:03:59.183825016 CET	1.1.1.1	192.168.2.5	0x17f2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.195552111 CET	1.1.1.1	192.168.2.5	0x4e85	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.336324930 CET	1.1.1.1	192.168.2.5	0x4116	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 10:03:59.376595974 CET	1.1.1.1	192.168.2.5	0xa0f1	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:03:59.649420023 CET	1.1.1.1	192.168.2.5	0x9069	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:03:59.788640022 CET	1.1.1.1	192.168.2.5	0x185f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:02.719393015 CET	1.1.1.1	192.168.2.5	0x82b1	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:02.719393015 CET	1.1.1.1	192.168.2.5	0x82b1	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:02.719393015 CET	1.1.1.1	192.168.2.5	0x82b1	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:02.857458115 CET	1.1.1.1	192.168.2.5	0xdac5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:03.061269045 CET	1.1.1.1	192.168.2.5	0x1050	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:03.063420057 CET	1.1.1.1	192.168.2.5	0x449e	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:03.063420057 CET	1.1.1.1	192.168.2.5	0x449e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:03.213701010 CET	1.1.1.1	192.168.2.5	0xf905	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:03.215383053 CET	1.1.1.1	192.168.2.5	0x3228	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:04.139831066 CET	1.1.1.1	192.168.2.5	0xefdb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:04.139831066 CET	1.1.1.1	192.168.2.5	0xefdb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:04.482209921 CET	1.1.1.1	192.168.2.5	0x317c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855545044 CET	1.1.1.1	192.168.2.5	0xc09d	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855545044 CET	1.1.1.1	192.168.2.5	0xc09d	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.855591059 CET	1.1.1.1	192.168.2.5	0xc18	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:09.857563972 CET	1.1.1.1	192.168.2.5	0xfff1	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:09.857563972 CET	1.1.1.1	192.168.2.5	0xfff1	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.162561893 CET	1.1.1.1	192.168.2.5	0x50bd	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.163238049 CET	1.1.1.1	192.168.2.5	0xdf33	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.164310932 CET	1.1.1.1	192.168.2.5	0x8a34	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.265271902 CET	1.1.1.1	192.168.2.5	0x8e28	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:10.265271902 CET	1.1.1.1	192.168.2.5	0x8e28	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.300333023 CET	1.1.1.1	192.168.2.5	0x3393	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:04:10.300333023 CET	1.1.1.1	192.168.2.5	0x3393	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:04:10.300333023 CET	1.1.1.1	192.168.2.5	0x3393	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:04:10.300333023 CET	1.1.1.1	192.168.2.5	0x3393	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 10:04:10.302762032 CET	1.1.1.1	192.168.2.5	0xb66e	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 10:04:10.394525051 CET	1.1.1.1	192.168.2.5	0x6560	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 10:04:10.454277039 CET	1.1.1.1	192.168.2.5	0x35ca	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.455070972 CET	1.1.1.1	192.168.2.5	0x9630	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:10.455070972 CET	1.1.1.1	192.168.2.5	0x9630	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.455070972 CET	1.1.1.1	192.168.2.5	0x9630	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.455070972 CET	1.1.1.1	192.168.2.5	0x9630	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.455070972 CET	1.1.1.1	192.168.2.5	0x9630	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:10.592799902 CET	1.1.1.1	192.168.2.5	0xe564	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:11.452370882 CET	1.1.1.1	192.168.2.5	0x75fa	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:11.452370882 CET	1.1.1.1	192.168.2.5	0x75fa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:11.522051096 CET	1.1.1.1	192.168.2.5	0x6a45	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:11.522051096 CET	1.1.1.1	192.168.2.5	0x6a45	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:11.522051096 CET	1.1.1.1	192.168.2.5	0x6a45	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:11.522051096 CET	1.1.1.1	192.168.2.5	0x6a45	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:12.285399914 CET	1.1.1.1	192.168.2.5	0xb1a8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:12.285399914 CET	1.1.1.1	192.168.2.5	0xb1a8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:12.751765013 CET	1.1.1.1	192.168.2.5	0x62d5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:12.751765013 CET	1.1.1.1	192.168.2.5	0x62d5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:12.890830994 CET	1.1.1.1	192.168.2.5	0x3f25	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:12.890830994 CET	1.1.1.1	192.168.2.5	0x3f25	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:13.434201956 CET	1.1.1.1	192.168.2.5	0x52e0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:13.434201956 CET	1.1.1.1	192.168.2.5	0x52e0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:13.978416920 CET	1.1.1.1	192.168.2.5	0xbb07	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:13.978416920 CET	1.1.1.1	192.168.2.5	0xbb07	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:22.767721891 CET	1.1.1.1	192.168.2.5	0x6070	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:24.133527040 CET	1.1.1.1	192.168.2.5	0x4a4b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:24.133527040 CET	1.1.1.1	192.168.2.5	0x4a4b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.305804968 CET	1.1.1.1	192.168.2.5	0x23e1	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.305804968 CET	1.1.1.1	192.168.2.5	0x23e1	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.305804968 CET	1.1.1.1	192.168.2.5	0x23e1	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.305804968 CET	1.1.1.1	192.168.2.5	0x23e1	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.444303989 CET	1.1.1.1	192.168.2.5	0xb3a6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.444303989 CET	1.1.1.1	192.168.2.5	0xb3a6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.444303989 CET	1.1.1.1	192.168.2.5	0xb3a6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.444303989 CET	1.1.1.1	192.168.2.5	0xb3a6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.468301058 CET	1.1.1.1	192.168.2.5	0x76bf	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:26.468301058 CET	1.1.1.1	192.168.2.5	0x76bf	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:26.583323002 CET	1.1.1.1	192.168.2.5	0x23b8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:04:26.583323002 CET	1.1.1.1	192.168.2.5	0x23b8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:04:26.583323002 CET	1.1.1.1	192.168.2.5	0x23b8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:04:26.583323002 CET	1.1.1.1	192.168.2.5	0x23b8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 10:04:26.679191113 CET	1.1.1.1	192.168.2.5	0xce9b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:29.495620012 CET	1.1.1.1	192.168.2.5	0x42cb	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:29.495620012 CET	1.1.1.1	192.168.2.5	0x42cb	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:04:44.142677069 CET	1.1.1.1	192.168.2.5	0xfbd8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:04:56.033466101 CET	1.1.1.1	192.168.2.5	0x2728	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:05:25.516652107 CET	1.1.1.1	192.168.2.5	0xbf63	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:05:26.880042076 CET	1.1.1.1	192.168.2.5	0x598f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:05:26.880042076 CET	1.1.1.1	192.168.2.5	0x598f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:06:46.893896103 CET	1.1.1.1	192.168.2.5	0xc5f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:06:47.033699989 CET	1.1.1.1	192.168.2.5	0x152	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 10:06:48.395708084 CET	1.1.1.1	192.168.2.5	0x8f6a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 10:06:48.395708084 CET	1.1.1.1	192.168.2.5	0x8f6a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:03:57.861798048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:03:58.949692011 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78376 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:03:59.883327961 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:00.200468063 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78378 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49719	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:03:59.304764986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:00.396920919 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82532 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:04:02.705286980 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:03.792403936 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66383 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:03.817275047 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:04.131952047 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66383 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:04.660274029 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:04.975341082 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66384 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:10.511648893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:10.826251030 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66390 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:13.297003031 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:13.611882925 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66393 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:23.629676104 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:04:24.313493013 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:24.628242970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66404 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:27.805785894 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:28.120251894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66407 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:28.142081022 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:28.456923008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66408 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:29.236726046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:29.551311016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66409 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:32.843597889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:33.158354044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66413 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:43.167422056 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:04:45.693265915 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:46.014736891 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66425 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:56.019140959 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:04:57.636666059 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:57.958090067 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66437 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:04:58.895288944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:04:59.210767984 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66439 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:05:09.226417065 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:19.358560085 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:27.067435026 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:05:27.382179976 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66467 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 10:05:37.393402100 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:47.523407936 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:57.652602911 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:06:07.780065060 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:06:17.909260988 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:06:48.574160099 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 10:06:48.888895035 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 66548 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49726	34.107.221.82	80	5688	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 10:04:02.719590902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:03.812010050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78381 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:04.340831995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:04.657247066 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78382 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:10.007474899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:10.339345932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78388 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:12.612591028 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:12.927522898 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78390 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:22.927570105 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:04:23.995461941 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:24.310431957 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78402 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:27.379671097 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:27.802135944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78405 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:27.824568033 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:28.138704062 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78405 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:28.918513060 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:29.232990980 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78407 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:32.522780895 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:32.836992979 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78410 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:42.850797892 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:04:45.376169920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:45.690383911 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78423 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:55.702636003 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:04:57.274918079 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:57.589384079 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78435 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:04:58.577936888 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:04:58.892605066 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78436 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:05:08.910007954 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:19.041994095 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:26.739270926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:05:27.062012911 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78464 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 10:05:37.070581913 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:47.200428963 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:05:57.329427004 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:06:07.457228899 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:06:17.586391926 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 10:06:48.255250931 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 10:06:48.570682049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 78546 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	04:03:48
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x870000
File size:	969'728 bytes
MD5 hash:	A42C2512C7C450E1F1BE312FBD38AC1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:03:49
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:03:49
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:03:51
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:03:51
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x3f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:03:52
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	04:03:53
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20230927232528 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80db43b3-06a6-45fd-ab72-eb115fc5e68b} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2291416e710 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	04:03:56
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e3adfb9-24e3-44e8-97eb-6a9063139a69} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 229269f3e10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	04:04:01
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5036 -prefMapHandle 5032 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cd9c003-7a83-40b4-a5f0-67db82c62fcc} 5688 "\\.\pipe\gecko-crash-server-pipe.5688" 2292bd7ab10 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1750
Total number of Limit Nodes:	57

Executed Functions

Function 008742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0087430D

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

GetCurrentProcess.KERNEL32(?,0090CB64,00000000,?,?), ref: 00874422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00874429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00874454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00874466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00874474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0087447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008744A0

Strings

|O, xrefs: 008B36F8
GetNativeSystemInfo, xrefs: 00874460
kernel32.dll, xrefs: 0087444F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 72f2f9eb2a31be519057d3d2c531bb27d39d3492057121451912f915461db3ab
Instruction ID: 97498a7a1bfdebb1de76cfa6793bcf67de69e872355c36e1547a5b23a787ab85
Opcode Fuzzy Hash: 72f2f9eb2a31be519057d3d2c531bb27d39d3492057121451912f915461db3ab
Instruction Fuzzy Hash: B7A1C46A93E2C4DFC711CF697C409E57FA4BB27744B0495A9E045D3B26E32085C8FB25

Function 008742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008750AA,?,?,00000000,00000000), ref: 008742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008750AA,?,?,00000000,00000000), ref: 008742C9
LoadResource.KERNEL32(?,00000000,?,?,008750AA,?,?,00000000,00000000,?,?,?,?,?,?,00874F20), ref: 008B35BE
SizeofResource.KERNEL32(?,00000000,?,?,008750AA,?,?,00000000,00000000,?,?,?,?,?,?,00874F20), ref: 008B35D3
LockResource.KERNEL32(008750AA,?,?,008750AA,?,?,00000000,00000000,?,?,?,?,?,?,00874F20,?), ref: 008B35E6

Strings

SCRIPT, xrefs: 008742BF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7e45ec8ae874fc1247f597907678fff5ac139e7c156fc7ed2705fb1b25990d04
Instruction ID: 4c6918db9129075fe604bb72038c30bf5fe20d5a85500280641d9aee7aaa56e7
Opcode Fuzzy Hash: 7e45ec8ae874fc1247f597907678fff5ac139e7c156fc7ed2705fb1b25990d04
Instruction Fuzzy Hash: 61118EB0214701BFD7218B69DC48F677BBDFBC5B51F208269F416D6690DBB2DC10AA20

Function 008B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00872B6B

Part of subcall function 00873A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00941418,?,00872E7F,?,?,?,00000000), ref: 00873A78

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00932224), ref: 008B2C10
ShellExecuteW.SHELL32(00000000,?,?,00932224), ref: 008B2C17

Strings

runas, xrefs: 008B2C0B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8cb41da7c05ffdb5d2ed7c8bf338177f17621aabf17e0d83397f74c03d17d09c
Instruction ID: 3382ff90fdbb2c301004301ccfeb7e79f3efef9647160b05e63cb29e12365f37
Opcode Fuzzy Hash: 8cb41da7c05ffdb5d2ed7c8bf338177f17621aabf17e0d83397f74c03d17d09c
Instruction Fuzzy Hash: 8C11B431208305AAC714FF68D892DBE7BA4FF95354F44842DF08AD21AADF30C649A713

Function 008DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008DD501
Process32FirstW.KERNEL32(00000000,?), ref: 008DD50F
Process32NextW.KERNEL32(00000000,?), ref: 008DD52F
CloseHandle.KERNEL32(00000000), ref: 008DD5DC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 889f5ad1514c4849b9d98fc92c0e48abd06265c697c95cd31641dd54bdb72547
Instruction ID: 2f7ad9b6fa48af6160421bac9fe25ccee29f5139b3abfe41cb516c82c6f5d30a
Opcode Fuzzy Hash: 889f5ad1514c4849b9d98fc92c0e48abd06265c697c95cd31641dd54bdb72547
Instruction Fuzzy Hash: 9F315C711083009FD305EF58D881AAABBF8FF99354F14462DF585C62A1EB71E945CB93

Function 008DDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,008B5222), ref: 008DDBCE
GetFileAttributesW.KERNEL32(?), ref: 008DDBDD
FindFirstFileW.KERNEL32(?,?), ref: 008DDBEE
FindClose.KERNEL32(00000000), ref: 008DDBFA

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c8c2212c3d903cdc833b079203d407251b6b44eebe5b264610596fe64c511408
Instruction ID: be3b7a28c5be018f0e3615081329658aa59eca547d98c2c4efb95a34f2c69bfb
Opcode Fuzzy Hash: c8c2212c3d903cdc833b079203d407251b6b44eebe5b264610596fe64c511408
Instruction Fuzzy Hash: D1F0A070838A145BC2206B7CAC0E8BA376CEF01334F204703F836C22E1EBB099549695

Function 008CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008CD220

Strings

%.3d, xrefs: 008CD22B
X64, xrefs: 008CD2A8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 98ea39123490ecd51e20683e2eef870a106fcd9f962ca04f28680afc84d1266d
Instruction ID: ac5885141a035d7e08c7660a3a8a05d11252d3ad22c579ac9412440bd14073b5
Opcode Fuzzy Hash: 98ea39123490ecd51e20683e2eef870a106fcd9f962ca04f28680afc84d1266d
Instruction Fuzzy Hash: 89D012A1C0830DE9CB50B7D0DC45EBAF3BCFB09305F508476F906D2041D634E5486B61

Function 00894CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008A28E9,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002,00000000,?,008A28E9), ref: 00894D09
TerminateProcess.KERNEL32(00000000,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002,00000000,?,008A28E9), ref: 00894D10
ExitProcess.KERNEL32 ref: 00894D22

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cdd36ccbf9efdf37eeba5081e89ccb8d8b9caa95e9c51e48aa30aed2b40bfdab
Instruction ID: 43c82b5b977ffc4177fa7b89b9b0e5933e548c6cc58ce25d9580d37181768875
Opcode Fuzzy Hash: cdd36ccbf9efdf37eeba5081e89ccb8d8b9caa95e9c51e48aa30aed2b40bfdab
Instruction Fuzzy Hash: C1E0B675124148AFCF15BF54DD09E583B69FB46781B148114FC05CA122CB35DD42EB80

Function 008CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008CD28C

Strings

X64, xrefs: 008CD2A8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: fe2a283d518c62a836ae66bc8b626480679d786de0962f218adae3878883e2ec
Instruction ID: 1bc885c1f229d5ac8ea4673f7f834a5e33d0a6ce305318d0f726896bfca06a93
Opcode Fuzzy Hash: fe2a283d518c62a836ae66bc8b626480679d786de0962f218adae3878883e2ec
Instruction Fuzzy Hash: FBD0E9B581521DEECF94DB90DC88DD9B77CFB14349F104655F506E2140D77495499F10

Function 008FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 008FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FB1D4
_wcslen.LIBCMT ref: 008FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FB236
_wcslen.LIBCMT ref: 008FB332

Part of subcall function 008E05A7: GetStdHandle.KERNEL32(000000F6), ref: 008E05C6

_wcslen.LIBCMT ref: 008FB34B
_wcslen.LIBCMT ref: 008FB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008FB3B6
GetLastError.KERNEL32(00000000), ref: 008FB407
CloseHandle.KERNEL32(?), ref: 008FB439
CloseHandle.KERNEL32(00000000), ref: 008FB44A
CloseHandle.KERNEL32(00000000), ref: 008FB45C
CloseHandle.KERNEL32(00000000), ref: 008FB46E
CloseHandle.KERNEL32(?), ref: 008FB4E3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3c3ff6ecbac03d0791e107cdae0192a9d018d481db2f87d518dd18b953ef57dc
Instruction ID: bae1c2e16be6cbab7cd7bd9686fbaa66e2f2ff4c4240ce06ef9466d457516556
Opcode Fuzzy Hash: 3c3ff6ecbac03d0791e107cdae0192a9d018d481db2f87d518dd18b953ef57dc
Instruction Fuzzy Hash: 42F18B716082449FCB14EF28C891B2ABBE5FF85714F14855DF999CB2A6DB31EC40CB52

Function 0087D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0087D807
timeGetTime.WINMM ref: 0087DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB28
TranslateMessage.USER32(?), ref: 0087DB7B
DispatchMessageW.USER32(?), ref: 0087DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB9F
Sleep.KERNEL32(0000000A), ref: 0087DBB1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: c300d3622a393b4f8cec99a2f604b1ad8319211a1c23ded47ae7b6d748773b5e
Instruction ID: 285f65bffd2eaff46d4e708e3d860d1987e87cc50965626e0908af4d021220b9
Opcode Fuzzy Hash: c300d3622a393b4f8cec99a2f604b1ad8319211a1c23ded47ae7b6d748773b5e
Instruction Fuzzy Hash: D4429A706083459FDB29DB28C884F6ABBF0FF86314F14865DE55AC72A1D770E884DB92

Function 00872CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00872D07
RegisterClassExW.USER32(00000030), ref: 00872D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00872D42
InitCommonControlsEx.COMCTL32(?), ref: 00872D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00872D6F
LoadIconW.USER32(000000A9), ref: 00872D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00872D94

Strings

TaskbarCreated, xrefs: 00872D37
+, xrefs: 00872CF0
AutoIt v3 GUI, xrefs: 00872D23
0, xrefs: 00872CE9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9c921c6be5754fd4e98b61acdd268325e818564fd24d9eaebd6dbcdc1a656d46
Instruction ID: da36a18d3fd6056311643659deb8ddc8b8d537502774ab10a4d6d0dcb9b85620
Opcode Fuzzy Hash: 9c921c6be5754fd4e98b61acdd268325e818564fd24d9eaebd6dbcdc1a656d46
Instruction Fuzzy Hash: D921C4B9965318AFDB00DFA4EC49BDDBBB4FB09704F00821AF511A62A0D7B14584EF91

Function 008B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008B039A: CreateFileW.KERNEL32(00000000,00000000,?,008B0704,?,?,00000000,?,008B0704,00000000,0000000C), ref: 008B03B7

GetLastError.KERNEL32 ref: 008B076F
__dosmaperr.LIBCMT ref: 008B0776
GetFileType.KERNEL32(00000000), ref: 008B0782
GetLastError.KERNEL32 ref: 008B078C
__dosmaperr.LIBCMT ref: 008B0795
CloseHandle.KERNEL32(00000000), ref: 008B07B5
CloseHandle.KERNEL32(?), ref: 008B08FF
GetLastError.KERNEL32 ref: 008B0931
__dosmaperr.LIBCMT ref: 008B0938

Strings

H, xrefs: 008B08BD

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a507db07f80dce0d146946c5e34e92578688064e931d42d665eb3d4f178736f8
Instruction ID: 58b2b9d614679b234afb7182810eecaa5ccd379f03cdb8e5d2b48c7a7189804e
Opcode Fuzzy Hash: a507db07f80dce0d146946c5e34e92578688064e931d42d665eb3d4f178736f8
Instruction Fuzzy Hash: 1AA12632A141088FDF19AF68DC51BEE7BA0FB4A324F140199F815DB392DB319916DF92

Function 0087344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00873A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00941418,?,00872E7F,?,?,?,00000000), ref: 00873A78

Part of subcall function 00873357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00873379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0087356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008B31CE
RegCloseKey.ADVAPI32(?), ref: 008B3210
_wcslen.LIBCMT ref: 008B3277
_wcslen.LIBCMT ref: 008B3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00873560
\, xrefs: 008B328C
\Include\, xrefs: 00873527
Include, xrefs: 008B3184, 008B31C5

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: a919874408fe18194665e4cf3c271dbf28de44f613299fb0239732674567c27b
Instruction ID: 676e61a8f56d4f09b69bd680f83fa3bbf9fb92476a7ea47037574a0126793a99
Opcode Fuzzy Hash: a919874408fe18194665e4cf3c271dbf28de44f613299fb0239732674567c27b
Instruction Fuzzy Hash: EA715A714183009EC714EF69D882D9ABBF8FF96B40B80452EF559C62A5EB309A48DB52

Function 00872B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00872B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00872B9D
LoadIconW.USER32(00000063), ref: 00872BB3
LoadIconW.USER32(000000A4), ref: 00872BC5
LoadIconW.USER32(000000A2), ref: 00872BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00872BEF
RegisterClassExW.USER32(?), ref: 00872C40

Part of subcall function 00872CD4: GetSysColorBrush.USER32(0000000F), ref: 00872D07
Part of subcall function 00872CD4: RegisterClassExW.USER32(00000030), ref: 00872D31
Part of subcall function 00872CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00872D42
Part of subcall function 00872CD4: InitCommonControlsEx.COMCTL32(?), ref: 00872D5F
Part of subcall function 00872CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00872D6F
Part of subcall function 00872CD4: LoadIconW.USER32(000000A9), ref: 00872D85
Part of subcall function 00872CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00872D94

Strings

AutoIt v3, xrefs: 00872C2F
0, xrefs: 00872C0F
#, xrefs: 00872C16

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ccf129aeda272b0232e2cf735d9137dba7abb6653c2df662141d269ea27e1f74
Instruction ID: 418ca51248d2d65c0816058c7c9785c0c344740950db12fc806f839944f2c2ce
Opcode Fuzzy Hash: ccf129aeda272b0232e2cf735d9137dba7abb6653c2df662141d269ea27e1f74
Instruction Fuzzy Hash: 82216FB8E68314AFDB109FA5EC45F9D7FB4FB49B50F00411AF500A66A0D3B14580EF90

Function 00873170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0087316A,?,?), ref: 008731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0087316A,?,?), ref: 00873204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00873227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0087316A,?,?), ref: 00873232
CreatePopupMenu.USER32 ref: 00873246
PostQuitMessage.USER32(00000000), ref: 00873267

Strings

TaskbarCreated, xrefs: 0087322D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4d88ee54b9345550a00b30f1597e16b748f5c15533012c6f9a647187f928063b
Instruction ID: 53ca8591b5126f70eebca96c7abf04fca6732b90b56e1d006489295645aa3782
Opcode Fuzzy Hash: 4d88ee54b9345550a00b30f1597e16b748f5c15533012c6f9a647187f928063b
Instruction Fuzzy Hash: 79411735278208ABDB255B7C9C09FB93B59F706345F148225F90AC63AAD771CA80B773

Function 00871410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00871459
CoUninitialize.COMBASE ref: 008714F8
UnregisterHotKey.USER32(?), ref: 008716DD
DestroyWindow.USER32(?), ref: 008B24B9
FreeLibrary.KERNEL32(?), ref: 008B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008B254B

Strings

close all, xrefs: 00871454

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ed47ad7c039fa22a7219000f07a2e0b4df4d035bdfb6d81a9bca89833d2b4a44
Instruction ID: c7670b2cb3ca4ec4b80cf04cc641bfc63ca4d0ae0c908541b678e1cf426d73b3
Opcode Fuzzy Hash: ed47ad7c039fa22a7219000f07a2e0b4df4d035bdfb6d81a9bca89833d2b4a44
Instruction Fuzzy Hash: FDD159716012128FCB29EF18C899A69F7A4FF05710F1482ADE54AEB656DB30ED12CF52

Function 008DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 008DDE42
gethostname.WS2_32(?,00000100), ref: 008DDE5C
gethostbyname.WS2_32(?), ref: 008DDE69
inet_ntoa.WSOCK32(?), ref: 008DDEAB
_strcat.LIBCMT ref: 008DDEB9
WSACleanup.WSOCK32 ref: 008DDEDE

Strings

0.0.0.0, xrefs: 008DDE87

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: d9521de67e2a50253f3ce5907aed97ffa31afe357b88d310ec9114de9f0e1a0a
Instruction ID: 5fcea60b7e49e96f166a7c57150b1b3781f70b7319035fd1ffb87af948814ccc
Opcode Fuzzy Hash: d9521de67e2a50253f3ce5907aed97ffa31afe357b88d310ec9114de9f0e1a0a
Instruction Fuzzy Hash: 91110A71504214AFCB207B64DC0AEDE776CFF50715F04036AF545DA291EF708A819B61

Function 00872C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00872C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00872CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00871CAD,?), ref: 00872CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00871CAD,?), ref: 00872CCF

Strings

AutoIt v3, xrefs: 00872C89, 00872C8E, 00872C8F
edit, xrefs: 00872CAC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: be347a593a27b997748aa1844ddfd38ec4af7510b505a00928bfc4c616361b03
Instruction ID: fc4a20fa60241a8985c4099bed23a1498bde036a11b7f5ccda371eb209a1fe54
Opcode Fuzzy Hash: be347a593a27b997748aa1844ddfd38ec4af7510b505a00928bfc4c616361b03
Instruction Fuzzy Hash: 89F0DAB95642907EEB311B17AC48E772EBDD7C7F50B00005AF900A25A0C6611894EAB0

Function 00873B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00873B0F,SwapMouseButtons,00000004,?), ref: 00873B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00873B0F,SwapMouseButtons,00000004,?), ref: 00873B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00873B0F,SwapMouseButtons,00000004,?), ref: 00873B83

Strings

Control Panel\Mouse, xrefs: 00873B3E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a62e28d76f3b2476283d66fc6ee8e24ec354c76a168d72e62c306badce9dc457
Instruction ID: bb7fce2a9c2042614a4e6f2f6dcb3bd70c44559fda2a6e2f47a1af5298589cd7
Opcode Fuzzy Hash: a62e28d76f3b2476283d66fc6ee8e24ec354c76a168d72e62c306badce9dc457
Instruction Fuzzy Hash: A5112AB5520208FFDB208FA5DC84AEEB7BCFF15754B10855AA809D7114D231DE40A7A1

Function 008CD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008CD3BF
FreeLibrary.KERNEL32 ref: 008CD3E5

Strings

X64, xrefs: 008CD2A8
GetSystemWow64DirectoryW, xrefs: 008CD3B9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 1961aaee31d9906b322a2afa2fa3d76ad20080c52da4b1603702d53388dca6bf
Instruction ID: 0f6c8be8bfbf9c1e49a4f72c2d940db314efa9adf48d80f1f80f948f9cf7c62b
Opcode Fuzzy Hash: 1961aaee31d9906b322a2afa2fa3d76ad20080c52da4b1603702d53388dca6bf
Instruction Fuzzy Hash: 31F020B280AB258AC37133204C28F6A73B0FF10705F64823CE402E1284E730CC408682

Function 0087DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008C32B7

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 8fd074538fd0210ce6f1f902bebee29601e8da0b1a51dacd20a48a88a64e90a1
Instruction ID: c19e74415eb2d997520522f14edff53107c54d113c544370564c6546a2a5180c
Opcode Fuzzy Hash: 8fd074538fd0210ce6f1f902bebee29601e8da0b1a51dacd20a48a88a64e90a1
Instruction Fuzzy Hash: 8AC27975A00209CFCB24DF58C881AADB7B1FB19314F24C5A9E919EB3A5D371ED42CB91

Function 0087EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0087FE66

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 8bd2987c2da4ed36717e643821af01b0bd8c33f9aab35d328e5715a9beb86256
Instruction ID: 1f88bc93a2eac2fd0aa67d58397778dfde9a4e0785e37ebead3238fd444abecc
Opcode Fuzzy Hash: 8bd2987c2da4ed36717e643821af01b0bd8c33f9aab35d328e5715a9beb86256
Instruction Fuzzy Hash: AFB25874608340CFCB24CF19C490A2AB7E1FB99314F24896DFA99CB35AD771E885DB52

Function 00873923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008B33A2

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00873A04

Strings

Line: , xrefs: 008B33EB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9bdd440a92edfc9d7a3b1189cfec51d2de2ec7bb13a057ec5aacafb37af001fa
Instruction ID: abd2f7bb80fa3c24f5afe3df8c71b9f7beb292395d4ad112ab72236459c0596f
Opcode Fuzzy Hash: 9bdd440a92edfc9d7a3b1189cfec51d2de2ec7bb13a057ec5aacafb37af001fa
Instruction Fuzzy Hash: 3E31AF71418314AAC725EB24DC45FEBB7E8FB85714F00852AF59DC2195EB70D688D783

Function 0088FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00890668

Part of subcall function 008932A4: RaiseException.KERNEL32(?,?,?,0089068A,?,00941444,?,?,?,?,?,?,0089068A,00871129,00938738,00871129), ref: 00893304

__CxxThrowException@8.LIBVCRUNTIME ref: 00890685

Strings

Unknown exception, xrefs: 00890692

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f466196a23b96d600564e0b8d49b36e05b0fd03569f1372912ac3e348381712f
Instruction ID: cc9145b61d05460a5b7d7cddc2b670c8bfba2e230d1e8f7c6f4d7bfe1fdd4e42
Opcode Fuzzy Hash: f466196a23b96d600564e0b8d49b36e05b0fd03569f1372912ac3e348381712f
Instruction Fuzzy Hash: 31F0442490030D6B8F10B6A8D846D5E776CFE50354B644531BA24D55D2EF71DB55CE82

Function 008710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00871BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00871BF4
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00871BFC
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00871C07
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00871C12
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00871C1A
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00871C22

Part of subcall function 00871B4A: RegisterWindowMessageW.USER32(00000004,?,008712C4), ref: 00871BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0087136A
OleInitialize.OLE32 ref: 00871388
CloseHandle.KERNEL32(00000000,00000000), ref: 008B24AB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c6c5dd6b1e79038464f95d5d687fddee9a2e836c4f2ec6ee5e19ebe604b04de0
Instruction ID: e61e1a7da3dfdeb67dee1cf706f8a6371876a7f019a79475400496b6115d0942
Opcode Fuzzy Hash: c6c5dd6b1e79038464f95d5d687fddee9a2e836c4f2ec6ee5e19ebe604b04de0
Instruction Fuzzy Hash: F3718AB89793048FC798EF7DE845E953AE4FB8A344714822AE51AC7375EB3084C0AF41

Function 008DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00873923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00873A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008DC259
KillTimer.USER32(?,00000001,?,?), ref: 008DC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008DC270

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: e0c980a3bfb5c36f89dbae523e8d7fa65e8ccf475dd89685ce5c7d14253e8d33
Instruction ID: a9e79d0ba5d208b6222e70ebb32f17a294fbfd01fc835ded0d219930d8842807
Opcode Fuzzy Hash: e0c980a3bfb5c36f89dbae523e8d7fa65e8ccf475dd89685ce5c7d14253e8d33
Instruction Fuzzy Hash: 7F319570904354AFEB329F648895BE7BBECEB06308F04059EE5DAD7241C7745A84DB51

Function 008A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,008A85CC,?,00938CC8,0000000C), ref: 008A8704
GetLastError.KERNEL32(?,008A85CC,?,00938CC8,0000000C), ref: 008A870E
__dosmaperr.LIBCMT ref: 008A8739

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d622ac44b38316a4bbf6f541a2c484677e960424ab86aa36ce9da8577e23090b
Instruction ID: cbe51d1bab27c1148568c7a8e8d805173c90d6916efce1f9733ea36640235170
Opcode Fuzzy Hash: d622ac44b38316a4bbf6f541a2c484677e960424ab86aa36ce9da8577e23090b
Instruction Fuzzy Hash: 40016F32614520A6FA2463386849B7E2745FBD3774F380159FA04CB9D2DEB0CCC191A1

Function 0087DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0087DB7B
DispatchMessageW.USER32(?), ref: 0087DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB9F
Sleep.KERNEL32(0000000A), ref: 0087DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 008C1CC9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 89f00632ff6165bc72e79ad55e64cbba39983b396f8fb3b3c30026729fa01134
Instruction ID: 40859b6b46dbb8702080f4511cd829add079b9fa21df7be944df86615e13ab82
Opcode Fuzzy Hash: 89f00632ff6165bc72e79ad55e64cbba39983b396f8fb3b3c30026729fa01134
Instruction Fuzzy Hash: FFF0FE716583449BEB30DB648C89FAA73B8FF45310F508A19F65AD30D0DB70E4889B16

Function 00881310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008817F6

Strings

CALL, xrefs: 008817C6

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 7b9f5b8e3846edeec8805387abe491a75fbac60c245625408af3a9d7e2318558
Instruction ID: 9fe486d2f8b2dc9630bb6ef13dee8c96f9ae745bbb5f978f60e07d4eaf89c85c
Opcode Fuzzy Hash: 7b9f5b8e3846edeec8805387abe491a75fbac60c245625408af3a9d7e2318558
Instruction Fuzzy Hash: 1C226A706082419FCB14EF28C485A2ABBF5FF85314F24896DF596CB362DB31E856CB52

Function 008801E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb5844e2b49cb444204bd53e59104ba33b86fd10ec9111e55fa00f96c671c0c
Instruction ID: 2134c507bccf9ad85a0a56059644172416e601887fad1bc4bcaf1b615ec33bf1
Opcode Fuzzy Hash: 0eb5844e2b49cb444204bd53e59104ba33b86fd10ec9111e55fa00f96c671c0c
Instruction Fuzzy Hash: FD327970A006099FCF24EF58C885FAEB7B1FF05314F148569E915EB2A2D771E984CB52

Function 00872DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008B2C8C

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

Part of subcall function 00872DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00872DC4

Strings

X, xrefs: 008B2C5A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d01b8638c0c844e7570a3cc7845261821207a9d1b63479131a60ca70550456d8
Instruction ID: e8e09fddd00abfd7dcc41c6c1876deedeed3c380e558154a7787e9cdff0a573c
Opcode Fuzzy Hash: d01b8638c0c844e7570a3cc7845261821207a9d1b63479131a60ca70550456d8
Instruction Fuzzy Hash: 99215471A10258AEDB11DF98C845BEE7BF8FF49314F008059E409E7245DBB49A499F62

Function 008CD363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 008CD375

Strings

X64, xrefs: 008CD2A8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: ce23611118b5d05579c7fb79a03cc779807fef655ef93cf62e19afdd11bd5d5b
Instruction ID: fdc29367019196f0b52653b8971d8b330a9e34300ca75f32aed2d8622ad41f25
Opcode Fuzzy Hash: ce23611118b5d05579c7fb79a03cc779807fef655ef93cf62e19afdd11bd5d5b
Instruction Fuzzy Hash: F1D0C9B581521DEECB94EB40DC88EDEB37CFB04309F608265F006E2040D730E5489B10

Function 00873837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00873908

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 10eb52d3fb1ec1df3a4bb47a0f28f141baa4092e30fa8faf48e4fcb4c728b03e
Instruction ID: c8b1baf7f8c3f2394fa8149eb234e4122253b30221a1c61c14d46a01c84e9bb2
Opcode Fuzzy Hash: 10eb52d3fb1ec1df3a4bb47a0f28f141baa4092e30fa8faf48e4fcb4c728b03e
Instruction Fuzzy Hash: D1318EB05083019FD720DF24D884B97BBE8FB49708F00092EF59AC3250E771AA44EB53

Function 0088F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0088F661

Part of subcall function 0087D730: GetInputState.USER32 ref: 0087D807

Sleep.KERNEL32(00000000), ref: 008CF2DE

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 30272237a20c77c086e440c5f5b4f747e7a5cc71a7c1b9131bc6d96870821433
Instruction ID: 69b0814676a0e0f456ecf4913d97f4bec7b5f6282b5c5cb29ab03cff1c237951
Opcode Fuzzy Hash: 30272237a20c77c086e440c5f5b4f747e7a5cc71a7c1b9131bc6d96870821433
Instruction Fuzzy Hash: 22F08C712442059FD354EF69D449B6AB7F9FF46761F004129E85DC72A1DB70A800CB92

Function 0087B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0087BB4E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c00deb72315d867b16bf459a0b4ada53a8d8c354c2d8f20b210062298665b5a9
Instruction ID: 53f6006ef0475ab115b464619109c2dbd17434a0c26ff72931e9eb4b250b6e53
Opcode Fuzzy Hash: c00deb72315d867b16bf459a0b4ada53a8d8c354c2d8f20b210062298665b5a9
Instruction Fuzzy Hash: 21329834A04209DFCB24CF68C884FAAB7BAFF45394F188059E919EB255D774ED41CB92

Function 00874ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00874E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E9C
Part of subcall function 00874E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00874EAE
Part of subcall function 00874E90: FreeLibrary.KERNEL32(00000000,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874EFD

Part of subcall function 00874E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E62
Part of subcall function 00874E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00874E74
Part of subcall function 00874E59: FreeLibrary.KERNEL32(00000000,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E87

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 0705f0775e945a2c1f38188621530d3c04b499889b4faf4580e81f598ba2b17b
Instruction ID: 0b3622501561458fc619b20a5c8aa2b6b2a72bacc6f4d7b26c9758647b533d9f
Opcode Fuzzy Hash: 0705f0775e945a2c1f38188621530d3c04b499889b4faf4580e81f598ba2b17b
Instruction Fuzzy Hash: B411C132610205AADB14FB68DC12FAD77A5FF40720F10C42DF54AE62C9EFB0DA459752

Function 008A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008A8440

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a7fce726ca6d498f26107d43f441e5cd9c332b1fb3f97aa92375d8a3f518c639
Instruction ID: 1b371504cafcf11d80d1b8a54ed1a0c1c9b2f841c4fde2f7054a8d3283dff0f6
Opcode Fuzzy Hash: a7fce726ca6d498f26107d43f441e5cd9c332b1fb3f97aa92375d8a3f518c639
Instruction Fuzzy Hash: 7911187590420AEFDF05DF58E94199A7BF9FF49314F104059F808EB312DA31DA11CBA9

Function 008A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008A4C7D: RtlAllocateHeap.NTDLL(00000008,00871129,00000000,?,008A2E29,00000001,00000364,?,?,?,0089F2DE,008A3863,00941444,?,0088FDF5,?), ref: 008A4CBE

_free.LIBCMT ref: 008A506C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d4db71aa020195d1c1681fdeb9a79dd9cb31355e84ea77adbae577e8b2a74137
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 16012672204B046BF331CE699881A5AFBE8FB8A370F25051DE184C3680EA70A845C6B5

Function 0089E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 38504235f835eb116408c288d582fd44627be3c06630481d0419dfd6e8cab29b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 48F0D632510E149AEE327A6D8C05B563B98FFB2334F180715F521D66D2DA709401C5A7

Function 008A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00871129,00000000,?,008A2E29,00000001,00000364,?,?,?,0089F2DE,008A3863,00941444,?,0088FDF5,?), ref: 008A4CBE

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3b2e662d78b5cea7c7f099009fcc770eb6b88f8e2c5ed10b981791746cb059ed
Instruction ID: 3d3cd17652fd7022b704a2184284f457d11ce426af426d81dd920e9875a77205
Opcode Fuzzy Hash: 3b2e662d78b5cea7c7f099009fcc770eb6b88f8e2c5ed10b981791746cb059ed
Instruction Fuzzy Hash: E7F0E93160622467FF216F669C05F5A3788FFC37B4B186221B91DE7991CAF0D80196E1

Function 008A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b0bb0be63a0e672f7e1935a6f20f2ec1302331376f972663406faebab5b37f0
Instruction ID: fac248d9e8c510c4528e025b37e5c2a4345c2675e436539844483d7a535785cf
Opcode Fuzzy Hash: 6b0bb0be63a0e672f7e1935a6f20f2ec1302331376f972663406faebab5b37f0
Instruction Fuzzy Hash: 62E0E53110522457FA213B6A9C04F9A3648FF437B4F090130BC14D2D91DB58DE0182E1

Function 00874F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874F6D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 153dcb083f06a1acf5493d3e9acf43a255bc62e01edaf15db92898dd72116a7b
Instruction ID: e01547179f76532d2535efc71b6f0241d145efdc186e4c02b69b123e2a10f9bf
Opcode Fuzzy Hash: 153dcb083f06a1acf5493d3e9acf43a255bc62e01edaf15db92898dd72116a7b
Instruction Fuzzy Hash: 2DF015B1109752CFDB349F64D490822BBE4FF15329324DA6EE1EEC2625CB32D844DB10

Function 00902A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00902A66

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 28013d1973869b40cce85ddd9ecab76a533a88a83334ede7cb0537cb21ffce54
Instruction ID: d6b154c75624200612b71f7a4baf1b986e18b6c71c878115eb598d16a415bccf
Opcode Fuzzy Hash: 28013d1973869b40cce85ddd9ecab76a533a88a83334ede7cb0537cb21ffce54
Instruction Fuzzy Hash: 13E0DF32354216AECB20EB34DC888FA735CEB10390B100636BC1BC2280DF34998582A0

Function 008730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0087314E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 28afb7cb864a136db617eb2e4d074c1d90e88dd4c51951d80bddb4334ee5526d
Instruction ID: 04fc74e4aba1e14cf090ee86d772c86b1852bac12a4264deedca878bc63baa00
Opcode Fuzzy Hash: 28afb7cb864a136db617eb2e4d074c1d90e88dd4c51951d80bddb4334ee5526d
Instruction Fuzzy Hash: 50F082709143149FEB629F24DC45B957BACB701708F0000E5A14896291D7704788DB52

Function 00872DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00872DC4

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d43f14b55a52e435aa75e27ead6d094fcc0967043ff82180814a5de72556113d
Instruction ID: fbafb2d613c4712a8262dbec18b205853bccecb6237b541ac6ac6c7dd2cf22d6
Opcode Fuzzy Hash: d43f14b55a52e435aa75e27ead6d094fcc0967043ff82180814a5de72556113d
Instruction Fuzzy Hash: 62E086726041245BCB10925C9C05FEA779DEB88790F044171FD09D7249D960ED808551

Function 00872B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00873837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00873908

Part of subcall function 0087D730: GetInputState.USER32 ref: 0087D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00872B6B

Part of subcall function 008730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0087314E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 235a7994031e9803ec9e0590798d7f92ffba711285180797ae4de4e750d846c7
Instruction ID: 4c4a6e7b08c4b55503cc16d8a70419bffaa82da7c6123ce247df7a956177c95d
Opcode Fuzzy Hash: 235a7994031e9803ec9e0590798d7f92ffba711285180797ae4de4e750d846c7
Instruction Fuzzy Hash: 63E0862131424806C618BB7D985297DA759FBD6355F40953EF14EC31B7CF34C5855353

Function 008DDF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 008DDF40

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 501e8a9db0a1a955575f5a258f01ba71a19042f5ef6a4a330eaa9dd80db80ffa
Instruction ID: 7f7df337edd27e84815685629876728fc0326065c64c1fbc5dfccc9f9a9900f0
Opcode Fuzzy Hash: 501e8a9db0a1a955575f5a258f01ba71a19042f5ef6a4a330eaa9dd80db80ffa
Instruction Fuzzy Hash: C7D05EE2A002282FDF60E7749C0DDF73AACE740220F0006A0786DD3152E920DE4486B0

Function 008B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,008B0704,?,?,00000000,?,008B0704,00000000,0000000C), ref: 008B03B7

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0bf8f405fc93b75bd5eabb35bc61e12c9f6c2e604e3810b649ae6e41e5339ffb
Instruction ID: 949734608a70a35f7fecd6799ea31bfb6dc15c1497af97d32be2e3593c8dc077
Opcode Fuzzy Hash: 0bf8f405fc93b75bd5eabb35bc61e12c9f6c2e604e3810b649ae6e41e5339ffb
Instruction Fuzzy Hash: A4D06C3205410DBFDF028F84DD06EDA3BAAFB48714F014100BE1856020C732E821AB90

Function 00871CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00871CBC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 910132c5220054918f62466b4bbab4c5b4d9456f418b7dd7ec05a6a0112a9401
Instruction ID: b6393fdfbc0e6da4da7dae8936ea1006afb1ea549b202f3246fb8b3e924397c3
Opcode Fuzzy Hash: 910132c5220054918f62466b4bbab4c5b4d9456f418b7dd7ec05a6a0112a9401
Instruction Fuzzy Hash: 88C0923E2AC304AFF3188B80BC4AF1077A4B349F00F448001F609A96E3D3A22860FA50

Non-executed Functions

Function 00909576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0090961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0090969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009096C9
SendMessageW.USER32 ref: 009096F2
GetKeyState.USER32(00000011), ref: 0090978B
GetKeyState.USER32(00000009), ref: 00909798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009097AE
GetKeyState.USER32(00000010), ref: 009097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009097E9
SendMessageW.USER32 ref: 00909810
SendMessageW.USER32(?,00001030,?,00907E95), ref: 00909918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0090992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00909941
SetCapture.USER32(?), ref: 0090994A
ClientToScreen.USER32(?,?), ref: 009099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009099D6
ReleaseCapture.USER32 ref: 009099E1
GetCursorPos.USER32(?), ref: 00909A19
ScreenToClient.USER32(?,?), ref: 00909A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00909A80
SendMessageW.USER32 ref: 00909AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00909AEB
SendMessageW.USER32 ref: 00909B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00909B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00909B4A
GetCursorPos.USER32(?), ref: 00909B68
ScreenToClient.USER32(?,?), ref: 00909B75
GetParent.USER32(?), ref: 00909B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00909BFA
SendMessageW.USER32 ref: 00909C2B
ClientToScreen.USER32(?,?), ref: 00909C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00909CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00909CDE
SendMessageW.USER32 ref: 00909D01
ClientToScreen.USER32(?,?), ref: 00909D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00909D82

Part of subcall function 00889944: GetWindowLongW.USER32(?,000000EB), ref: 00889952

GetWindowLongW.USER32(?,000000F0), ref: 00909E05

Strings

F, xrefs: 00909D07
@GUI_DRAGID, xrefs: 0090997D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 9f9c346a31872961e173b6dbb4b616683534bb6e1431d819d44d52b836a71fb2
Instruction ID: 26fb53795aa540f9e108e8b8dcc8a019a8b0d9f11d62a9900d9ce0774a0fd0b4
Opcode Fuzzy Hash: 9f9c346a31872961e173b6dbb4b616683534bb6e1431d819d44d52b836a71fb2
Instruction Fuzzy Hash: EA429F75608201AFD724CF28CC44EAABBE9FF49714F144A19F699872E2D732E850DF52

Function 00904873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00904908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00904927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0090494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0090495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0090497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00904A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00904A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00904A7E
IsMenu.USER32(?), ref: 00904A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00904AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00904B20
GetWindowLongW.USER32(?,000000F0), ref: 00904B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00904BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00904C82
wsprintfW.USER32 ref: 00904CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00904CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00904CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00904D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00904D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00904D5A

Strings

%d/%02d/%02d, xrefs: 00904CA8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 23bf02126f71cf27d7b11a8e46cf0784324cb74c3ae0671829dfde960a2a82fa
Instruction ID: 19da6b4ed9ffd5998d2788df01c5bb1d61e6ae82f391fd94bb48e75249b55469
Opcode Fuzzy Hash: 23bf02126f71cf27d7b11a8e46cf0784324cb74c3ae0671829dfde960a2a82fa
Instruction Fuzzy Hash: 4A12BEB1600215AFEB259F28CC49FAE7BF8FF85710F104629F615EA2E1DB749941CB50

Function 0088F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0088F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008CF474
IsIconic.USER32(00000000), ref: 008CF47D
ShowWindow.USER32(00000000,00000009), ref: 008CF48A
SetForegroundWindow.USER32(00000000), ref: 008CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008CF4AA
GetCurrentThreadId.KERNEL32 ref: 008CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008CF4DE
SetForegroundWindow.USER32(00000000), ref: 008CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF4F6
keybd_event.USER32(00000012,00000000), ref: 008CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF50B
keybd_event.USER32(00000012,00000000), ref: 008CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF519
keybd_event.USER32(00000012,00000000), ref: 008CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF528
keybd_event.USER32(00000012,00000000), ref: 008CF52D
SetForegroundWindow.USER32(00000000), ref: 008CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008CF557

Strings

Shell_TrayWnd, xrefs: 008CF46F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7901e1f3a78bcc3dbd2f68a4e95511102e6d39d31bd66e9d1615a9f027a2f456
Instruction ID: 1d1d82d476e29ac22d4a1ad11cf4fec2e1a024591b10aeec899b146211e46fec
Opcode Fuzzy Hash: 7901e1f3a78bcc3dbd2f68a4e95511102e6d39d31bd66e9d1615a9f027a2f456
Instruction Fuzzy Hash: 36313EB1A54218BEFB216BB55C4AFBF7E7DFB44B50F100169FB01E61D1C6B19900BAA0

Function 008D1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D170D
Part of subcall function 008D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D173A
Part of subcall function 008D16C3: GetLastError.KERNEL32 ref: 008D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008D12A8
CloseHandle.KERNEL32(?), ref: 008D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008D12D1
GetProcessWindowStation.USER32 ref: 008D12EA
SetProcessWindowStation.USER32(00000000), ref: 008D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008D1310

Part of subcall function 008D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D11FC), ref: 008D10D4
Part of subcall function 008D10BF: CloseHandle.KERNEL32(?,?,008D11FC), ref: 008D10E9

Strings

default, xrefs: 008D130B
winsta0, xrefs: 008D12CC
, xrefs: 008D125A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 4e94651150c3d7c2364eac774efa08e6751ad9066d9429064ac01468a09b2012
Instruction ID: c7631530581062322a4507d703f58e14c8c80f2c2210fe6139c024c4f563f4db
Opcode Fuzzy Hash: 4e94651150c3d7c2364eac774efa08e6751ad9066d9429064ac01468a09b2012
Instruction Fuzzy Hash: D4817AB1900209BFDF219FA8DC49BEE7BBAFF04704F14422AF910E62A0C7718945DB65

Function 008D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D1114
Part of subcall function 008D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1120
Part of subcall function 008D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D112F
Part of subcall function 008D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1136
Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D0C00
GetLengthSid.ADVAPI32(?), ref: 008D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D0C6D
GetLengthSid.ADVAPI32(?), ref: 008D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008D0C8C
HeapAlloc.KERNEL32(00000000), ref: 008D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D0CB4
CopySid.ADVAPI32(00000000), ref: 008D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0D45
HeapFree.KERNEL32(00000000), ref: 008D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0D55
HeapFree.KERNEL32(00000000), ref: 008D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0D65
HeapFree.KERNEL32(00000000), ref: 008D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008D0D78
HeapFree.KERNEL32(00000000), ref: 008D0D7F

Part of subcall function 008D1193: GetProcessHeap.KERNEL32(00000008,008D0BB1,?,00000000,?,008D0BB1,?), ref: 008D11A1
Part of subcall function 008D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008D0BB1,?), ref: 008D11A8
Part of subcall function 008D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008D0BB1,?), ref: 008D11B7

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a17baaed0a8d918815f456bb9eb77b7bfdae6c02494ec45e3bcc5181cad4f6f6
Instruction ID: ed9fb5ecacbd23f9c89bfe53812e0078abb300a772df55452689cce4475cfabf
Opcode Fuzzy Hash: a17baaed0a8d918815f456bb9eb77b7bfdae6c02494ec45e3bcc5181cad4f6f6
Instruction Fuzzy Hash: 6A7168B290420AAFEF109FA4DC48BAEBBB9FF05310F044716E914E7291D771AA45DF60

Function 008EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0090CC08), ref: 008EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 008EEB37
GetClipboardData.USER32(0000000D), ref: 008EEB43
CloseClipboard.USER32 ref: 008EEB4F
GlobalLock.KERNEL32(00000000), ref: 008EEB87
CloseClipboard.USER32 ref: 008EEB91
GlobalUnlock.KERNEL32(00000000), ref: 008EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 008EEBC9
GetClipboardData.USER32(00000001), ref: 008EEBD1
GlobalLock.KERNEL32(00000000), ref: 008EEBE2
GlobalUnlock.KERNEL32(00000000), ref: 008EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 008EEC38
GetClipboardData.USER32(0000000F), ref: 008EEC44
GlobalLock.KERNEL32(00000000), ref: 008EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008EECD2
GlobalUnlock.KERNEL32(00000000), ref: 008EECF3
CountClipboardFormats.USER32 ref: 008EED14
CloseClipboard.USER32 ref: 008EED59

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9668af553c1245df6c0ec78cde3267c5773933a6483019f2fa819832806849b9
Instruction ID: dce28d8aab6b19c5951e9653799392967a99d8d715b027aaa02c493c39ca7a48
Opcode Fuzzy Hash: 9668af553c1245df6c0ec78cde3267c5773933a6483019f2fa819832806849b9
Instruction Fuzzy Hash: C261FE74208242AFD310EF29D884F2AB7A4FF85714F148619F45AD72A2DB31DD09DB62

Function 008E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008E69BE
FindClose.KERNEL32(00000000), ref: 008E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008E6A75

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 008E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 008E6ADF

Strings

%03d, xrefs: 008E6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 008E6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 008E6B32
%02d, xrefs: 008E6C00, 008E6C0A, 008E6C5A, 008E6CAA, 008E6CFA, 008E6D4A
%4d, xrefs: 008E6BB1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 14e9619ad284e2b16dcf08f1c1027a543b7a5131e3e454f675122f8767736aff
Instruction ID: 7b78551fa48414624654c0d36d787269cc77baf9d14df2c34e5ea7944d95fd1e
Opcode Fuzzy Hash: 14e9619ad284e2b16dcf08f1c1027a543b7a5131e3e454f675122f8767736aff
Instruction Fuzzy Hash: 13D12D72508340AEC714EBA8C882EABB7E8FF99704F44491DF589D7191EB74DA44CB63

Function 008E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008E9663
GetFileAttributesW.KERNEL32(?), ref: 008E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 008E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 008E96D3
FindClose.KERNEL32(00000000), ref: 008E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 008E974A
SetCurrentDirectoryW.KERNEL32(00936B7C), ref: 008E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 008E9772
FindClose.KERNEL32(00000000), ref: 008E977F
FindClose.KERNEL32(00000000), ref: 008E978F

Strings

*.*, xrefs: 008E96F5

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: c1e89b2de4b9bd86a1808db916134b78e233da7e3529893f9ae52d3cff29cefd
Instruction ID: 0e5db32493a9a56cdfcee240fe3dfc5c94d2c0476e66a959a729eb2e6282d82c
Opcode Fuzzy Hash: c1e89b2de4b9bd86a1808db916134b78e233da7e3529893f9ae52d3cff29cefd
Instruction Fuzzy Hash: B331F3725142597EDF20AFB9DC08ADE77ACFF4A320F144166F895E21A1DB70DD448E10

Function 008E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 008E9819
FindClose.KERNEL32(00000000), ref: 008E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 008E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 008E9890
SetCurrentDirectoryW.KERNEL32(00936B7C), ref: 008E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008E98B8
FindClose.KERNEL32(00000000), ref: 008E98C5
FindClose.KERNEL32(00000000), ref: 008E98D5

Part of subcall function 008DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008DDB00

Strings

*.*, xrefs: 008E983B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 428a3c368ba6bcfca20367f757f893d656e06c495cb699a7ee9d38de91531e82
Instruction ID: ab4887762aa1e7f1cf113046c5e61b8dacc2999ad82bee41cc15bba49298c912
Opcode Fuzzy Hash: 428a3c368ba6bcfca20367f757f893d656e06c495cb699a7ee9d38de91531e82
Instruction Fuzzy Hash: 8731A0715042697EDF20AFA9DC48ADE77ACEF47324F148165E890E21E1DBB0D9458E20

Function 008DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

Part of subcall function 008DE199: GetFileAttributesW.KERNEL32(?,008DCF95), ref: 008DE19A

FindFirstFileW.KERNEL32(?,?), ref: 008DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008DD1DD
MoveFileW.KERNEL32(?,?), ref: 008DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008DD237

Part of subcall function 008DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008DD21C,?,?), ref: 008DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008DD253
FindClose.KERNEL32(00000000), ref: 008DD264

Strings

\*.*, xrefs: 008DD0CD, 008DD0D6, 008DD0EB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 43c1729685af587e903f58d2d3069687492adae5aca9e12f027712b51e4613f5
Instruction ID: 241c66699e1140b5214723882d1e608eabd5458b5787f420b56fd75d93185c4f
Opcode Fuzzy Hash: 43c1729685af587e903f58d2d3069687492adae5aca9e12f027712b51e4613f5
Instruction Fuzzy Hash: DA616E3180520D9ECF05EBE8D9929EDB779FF55300F208266E415B7295EB30AF09DB62

Function 008EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008EED91
EmptyClipboard.USER32 ref: 008EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 008EEDAC
CloseClipboard.USER32 ref: 008EEEA3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b8a7a28a044b7f9b3df94bb4d489382cab4b8164208ce4bee5a173e3d26e70e5
Instruction ID: 2ccd1d394ab9b03788b42fad841822b00e8b151aaaf3c6fe4338c4a1248435fc
Opcode Fuzzy Hash: b8a7a28a044b7f9b3df94bb4d489382cab4b8164208ce4bee5a173e3d26e70e5
Instruction Fuzzy Hash: BB41AD75608652AFE720DF1AD888F19BBE1FF45318F14C199E419CB6A2C776EC41CB90

Function 008DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D170D
Part of subcall function 008D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D173A
Part of subcall function 008D16C3: GetLastError.KERNEL32 ref: 008D174A

ExitWindowsEx.USER32(?,00000000), ref: 008DE932

Strings

@, xrefs: 008DE925
, xrefs: 008DE95C
, xrefs: 008DE920
SeShutdownPrivilege, xrefs: 008DE902

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c325418bb1563270a7e1a49553b25ce4ad8d7496e54317fdf677ee9e7d6ac294
Instruction ID: 6f076e28a4d369959ec927100247deb8c2914b01fecc488a7db09807e2cf7eb6
Opcode Fuzzy Hash: c325418bb1563270a7e1a49553b25ce4ad8d7496e54317fdf677ee9e7d6ac294
Instruction Fuzzy Hash: D60126B2621215BFEB1437B89C9ABBF776CFB14744F140B23F802E63D1D5A05C408190

Function 008F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008F1276
WSAGetLastError.WSOCK32 ref: 008F1283
bind.WSOCK32(00000000,?,00000010), ref: 008F12BA
WSAGetLastError.WSOCK32 ref: 008F12C5
closesocket.WSOCK32(00000000), ref: 008F12F4
listen.WSOCK32(00000000,00000005), ref: 008F1303
WSAGetLastError.WSOCK32 ref: 008F130D
closesocket.WSOCK32(00000000), ref: 008F133C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: e5ed1e29b638d0647c0327fa8663fec8972c1c9a96a561aad4753ae3507c045a
Instruction ID: 45f53755890eb6018352c8bc66b8ed5e2539c91d4335f45c4bbd0ea7989348cf
Opcode Fuzzy Hash: e5ed1e29b638d0647c0327fa8663fec8972c1c9a96a561aad4753ae3507c045a
Instruction Fuzzy Hash: BC414D71600154DFDB10DF68C488B29BBE6FF46318F188198E956DF296C771ED81CBA1

Function 008AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008AB9D4
_free.LIBCMT ref: 008AB9F8
_free.LIBCMT ref: 008ABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00913700), ref: 008ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0094121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00941270,000000FF,?,0000003F,00000000,?), ref: 008ABC36
_free.LIBCMT ref: 008ABD4B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c475aa981a30b4068de7e4a3b5ecf90bc282bddb48cffb3e0322edb61a0a7cf4
Instruction ID: d3d67381cc7ccc98c2ada192d643e524350c006ba2f83e5e6d28a75d57472daf
Opcode Fuzzy Hash: c475aa981a30b4068de7e4a3b5ecf90bc282bddb48cffb3e0322edb61a0a7cf4
Instruction Fuzzy Hash: 8FC13771904258AFEB209F689C41BAA7BF8FF43320F1841AAE590D7A53E7309E41D751

Function 008DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

Part of subcall function 008DE199: GetFileAttributesW.KERNEL32(?,008DCF95), ref: 008DE19A

FindFirstFileW.KERNEL32(?,?), ref: 008DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008DD481
FindClose.KERNEL32(00000000), ref: 008DD498
FindClose.KERNEL32(00000000), ref: 008DD4A1

Strings

\*.*, xrefs: 008DD3F2

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 352dee24ad713e16ef5d5977cfee06deae9e9a8288f847c9973564bb2f829314
Instruction ID: 1fd063a3fb5e310d9d4ea32d445a17ca4ea95dcc2d4eda8b8f5c083f2cf7c63c
Opcode Fuzzy Hash: 352dee24ad713e16ef5d5977cfee06deae9e9a8288f847c9973564bb2f829314
Instruction Fuzzy Hash: 453141710183459FC304EF68D8919AF77A8FE95314F448A1EF4E5D2291EB30EA09D767

Function 008AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008AE645

Strings

1#SNAN, xrefs: 008AF844
1#IND, xrefs: 008AF83D
1#QNAN, xrefs: 008AF84B
1#INF, xrefs: 008AF852

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fc09c8566d1baea575e6d83ad7aec9e15ccd5f7891735fbee9a66d06a9401964
Instruction ID: dce6ff473c0f91a3c2999a5f2ddf8e548bd4a3bfe7108983b37f5fab58f2f742
Opcode Fuzzy Hash: fc09c8566d1baea575e6d83ad7aec9e15ccd5f7891735fbee9a66d06a9401964
Instruction Fuzzy Hash: B5C25971E086288FEB25CE68DD407EAB7B5FB4A304F1445EAD50DE7641E778AE818F40

Function 008E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008E64DC
CoInitialize.OLE32(00000000), ref: 008E6639
CoCreateInstance.OLE32(0090FCF8,00000000,00000001,0090FB68,?), ref: 008E6650
CoUninitialize.OLE32 ref: 008E68D4

Strings

.lnk, xrefs: 008E64BA, 008E6524, 008E65E0

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 02fa33872e0e6d374c433363e90f7ea5dbf04c1d29a14aeba3d9f9dc819f9369
Instruction ID: d294a09d2b6d0b7cd711adedbb70c20d2ba95221d5f014f48cd5414f7060e843
Opcode Fuzzy Hash: 02fa33872e0e6d374c433363e90f7ea5dbf04c1d29a14aeba3d9f9dc819f9369
Instruction Fuzzy Hash: CCD13971608241AFC314EF28C881D6BB7E8FF95744F10896DF599CB2A5EB70E905CB92

Function 008F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008F22E8

Part of subcall function 008EE4EC: GetWindowRect.USER32(?,?), ref: 008EE504

GetDesktopWindow.USER32 ref: 008F2312
GetWindowRect.USER32(00000000), ref: 008F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 008F2355
GetCursorPos.USER32(?), ref: 008F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008F23DF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 76cf34468c87c52e86914c908263a3cbc52177fefaefcd83e7fe653bc48372d8
Instruction ID: 8d6873eb9f0265b7d6f968025b1c5aa8d0fd5ba72436382ec757c9690e64dd7f
Opcode Fuzzy Hash: 76cf34468c87c52e86914c908263a3cbc52177fefaefcd83e7fe653bc48372d8
Instruction Fuzzy Hash: BC31B0B2509319AFD720DF64C849F6BBBA9FF84314F000A19F985D7291DB74E909CB92

Function 008E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008E9C8B

Part of subcall function 008E3874: GetInputState.USER32 ref: 008E38CB
Part of subcall function 008E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008E9C75

Strings

*.*, xrefs: 008E9B5D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 21a3e520be571f6d9b0b6525d4451afc3226d5895432a37364fa232fc1eb5ab1
Instruction ID: 2c602eb2dbf7d44bfa45084ad0f1bac22d57de739eae964c6621f20cd32ffe70
Opcode Fuzzy Hash: 21a3e520be571f6d9b0b6525d4451afc3226d5895432a37364fa232fc1eb5ab1
Instruction Fuzzy Hash: 55418371904249AFCF14EF69C885AEEBBB4FF46310F248155E455E2191EB70DE84CF61

Function 0088997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00889A4E
GetSysColor.USER32(0000000F), ref: 00889B23
SetBkColor.GDI32(?,00000000), ref: 00889B36

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 597d25afafa4c359cce51860948bdd6696e497da8a349d7cef792962419663ed
Instruction ID: 62563c771deb52f2d82fcc43ba63a6efff6b930c9a6ca2cdc2d263924c2c94f9
Opcode Fuzzy Hash: 597d25afafa4c359cce51860948bdd6696e497da8a349d7cef792962419663ed
Instruction Fuzzy Hash: CDA11B70218428BEE72CBA2C9C49F7B36ADFB82354B18410DF582D6AD2CA35DD41D772

Function 008F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008F307A
Part of subcall function 008F304E: _wcslen.LIBCMT ref: 008F309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008F185D
WSAGetLastError.WSOCK32 ref: 008F1884
bind.WSOCK32(00000000,?,00000010), ref: 008F18DB
WSAGetLastError.WSOCK32 ref: 008F18E6
closesocket.WSOCK32(00000000), ref: 008F1915

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9699028dba8f3e5369f02cda1ca85fbc045547ddc69e63ce6bc93d209f10ad2e
Instruction ID: c0a7c2f08af0e639619a7ed9af94253233efab150cfcc8481241fbf295b6c163
Opcode Fuzzy Hash: 9699028dba8f3e5369f02cda1ca85fbc045547ddc69e63ce6bc93d209f10ad2e
Instruction Fuzzy Hash: 7951A371A002049FDB10AF28C886F3A77A5FB45718F14C058F9099F397DB71ED418BA2

Function 00901C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00901CC0
IsWindowEnabled.USER32 ref: 00901CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00901CDB
IsIconic.USER32 ref: 00901CE9
IsZoomed.USER32 ref: 00901CF7

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a1af63b4ddd1dc4eb53fe5802c86acfdfb5c27b890794fac2ac21d1b18fd99da
Instruction ID: 0c8d909a05cc784c0fb9512e6c839506e5b0032f636088904567cb227032b55e
Opcode Fuzzy Hash: a1af63b4ddd1dc4eb53fe5802c86acfdfb5c27b890794fac2ac21d1b18fd99da
Instruction Fuzzy Hash: 6D2174717442115FE7208F2AC884B5A7BE9FF95315F198059E88ACB3D1CB75EC42DB90

Function 00878060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008B5DF0
VUUU, xrefs: 008783E8
VUUU, xrefs: 0087843C
VUUU, xrefs: 008783FA
ERCP, xrefs: 0087813C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4acfdb28180906a825ead8aa434bf8643048d8576ef558719f3973d2b76c1543
Instruction ID: 25373d4dfa6fedc39a9d93a1d27cd8250f0573510e06d070b5af64565693f878
Opcode Fuzzy Hash: 4acfdb28180906a825ead8aa434bf8643048d8576ef558719f3973d2b76c1543
Instruction Fuzzy Hash: CEA24871A4061ACBDF24CF58C8447EEB7B1FB54314F2481AAE819E7389EB74DD918B90

Function 008DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008DAAAC
SetKeyboardState.USER32(00000080), ref: 008DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008DAB88

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 726455193f199a47c210d5c3dfca57d19728961731e73c86947db5f9ef3cf4fc
Instruction ID: 4703af49c4bbb4a426e1b15323b6dfde88a26a654547e871010164657e8b8a75
Opcode Fuzzy Hash: 726455193f199a47c210d5c3dfca57d19728961731e73c86947db5f9ef3cf4fc
Instruction Fuzzy Hash: 4E31E770A40258AEEB398B688C05BFE7BA6FB45330F24431BF581D63D1D7758982D762

Function 008ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 008ECE89
GetLastError.KERNEL32(?,00000000), ref: 008ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 008ECEFE

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 8f294e1ace75a6c58ec1da3b95103b0c9b52dcf5d9b65fc13d1a399af8765cac
Instruction ID: 41f0a5accb6e02a6aa58a9b34500942c8f551d2d98f7cf13c90711ced5247e62
Opcode Fuzzy Hash: 8f294e1ace75a6c58ec1da3b95103b0c9b52dcf5d9b65fc13d1a399af8765cac
Instruction Fuzzy Hash: E221BDB1904306AFDB20DFA6C949BAA7BF8FB42318F10441EE546D2151EB70EE069B60

Function 008D8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008D82AA

Strings

(, xrefs: 008D82F0
|, xrefs: 008D82DA

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 320bdd79aaffa5ec0595a7e975dabf26f685c6b4938613863dda68b028585993
Instruction ID: 27926c36e77c57f9ab36c61b042b62fe2a6a3b06a0e612a004275058ddb5f7d6
Opcode Fuzzy Hash: 320bdd79aaffa5ec0595a7e975dabf26f685c6b4938613863dda68b028585993
Instruction Fuzzy Hash: E1322474A00605DFCB28CF59C481A6AB7F1FF48720B15C56EE59ADB3A1EB70E941CB44

Function 008E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 008E5D17
FindClose.KERNEL32(?), ref: 008E5D5F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: de017e0ba2c0b2f84e8f949ee32c89fa9d0d462be21973671686dd16c39b2844
Instruction ID: 423cc0d6b33540b18d2c5d5c3294fe3ee1f944036c8cc68777beed64e1e89b56
Opcode Fuzzy Hash: de017e0ba2c0b2f84e8f949ee32c89fa9d0d462be21973671686dd16c39b2844
Instruction Fuzzy Hash: 93518A74604A419FC714DF29C894A9AB7E4FF4A318F14856DE96ACB3A2CB30ED44CB91

Function 008A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008A2731

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1fe84d59c2b9ed5711f9c8d78ea4a827eb4e5cf69bb4bf9df8449d255bc1afa4
Instruction ID: 61e6747cfb520bea1ca510459b9559d0b1b675f2335828cf67c1ab596bb377ce
Opcode Fuzzy Hash: 1fe84d59c2b9ed5711f9c8d78ea4a827eb4e5cf69bb4bf9df8449d255bc1afa4
Instruction Fuzzy Hash: 7731B474911228ABCB21DF68DD89799B7B8FF08310F5042EAE81CA6261E7349F819F45

Function 008E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008E5238
SetErrorMode.KERNEL32(00000000), ref: 008E52A1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 408b82f232e074a82d9e3e8a768ae7421a7d25fb5ee8c01bcd9ba04fcf9bf3c8
Instruction ID: 0937dd0b24a178628bc5c2d167c065ac619c348690a7f07d4e1a8c57032cccdb
Opcode Fuzzy Hash: 408b82f232e074a82d9e3e8a768ae7421a7d25fb5ee8c01bcd9ba04fcf9bf3c8
Instruction Fuzzy Hash: 76318F75A10608DFDB00DF54D884EADBBB5FF09318F048099E909EB3A6CB71E845CB91

Function 008D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0088FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00890668
Part of subcall function 0088FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00890685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D173A
GetLastError.KERNEL32 ref: 008D174A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9ab65270145ec2567f38b8d8a46a556c94dd0a6d89639dabd5beb33e404c4a2c
Instruction ID: 45825ab8938f62c8f4abe5578adb60d5e83885434bc0bff477176cc9ab34b10b
Opcode Fuzzy Hash: 9ab65270145ec2567f38b8d8a46a556c94dd0a6d89639dabd5beb33e404c4a2c
Instruction Fuzzy Hash: 8E11BFB2414208BFDB18AF54DC8AD6AB7BDFF04714B20862EE55692252EB70BC418B20

Function 008DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008DD650

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f54263517a93d03c16895d8061e4c01633f64082b64dbf76e575484b8f896f13
Instruction ID: d9133e4eede7a52e282b234e6c951725526c58afc716ec75ebe8325f44b23e1c
Opcode Fuzzy Hash: f54263517a93d03c16895d8061e4c01633f64082b64dbf76e575484b8f896f13
Instruction Fuzzy Hash: CB1170B1E05228BFDB108F94AC44FAFBBBCEB45B50F108252F904E7290D2704A018BE1

Function 008D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008D16A1
FreeSid.ADVAPI32(?), ref: 008D16B1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b522c37ea033248ed020688d65433e7a0b6fb312b95bc025831bd75a88dfe316
Instruction ID: 120f1e9697350f59ba9f96a1ca799b1c3871bf90ea25b6ed4a3dbc7bdce7d3fe
Opcode Fuzzy Hash: b522c37ea033248ed020688d65433e7a0b6fb312b95bc025831bd75a88dfe316
Instruction Fuzzy Hash: A5F0F4B1950309FFEF00DFE49D89AAEBBBCFB08604F504665E501E2181E774AA449A50

Function 008AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008AC36C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f9432f8f68c45c7ecd894f4060e978fc5191903ddf488e017aac16dd434d2d40
Instruction ID: 1b3541fdb14b96967389a491fffe4121c9b70b1b76f4e6cb3e03e730cb75ac0c
Opcode Fuzzy Hash: f9432f8f68c45c7ecd894f4060e978fc5191903ddf488e017aac16dd434d2d40
Instruction Fuzzy Hash: 95414776900618AFEF209FB9CC48EBB77B8FB86314F1042A9F905D7680E6709D80CB50

Function 0089CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 6df62eff897fea677e31b1417e8011e20c5b0cb7f9535fae5d6cc56799a804fb
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 31021D71E002199FDF14DFA9C9906ADFBF1FF48314F298169E819EB384D731AA418B94

Function 008E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008E6918
FindClose.KERNEL32(00000000), ref: 008E6961

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0f026cc7049b516e9ac0e288937bdb53122a16f250bafec3f5d98cce66a073a1
Instruction ID: 399f63ecc0f0838b49754a917ba991d1ef861aae114c24522bf03b5e828f2053
Opcode Fuzzy Hash: 0f026cc7049b516e9ac0e288937bdb53122a16f250bafec3f5d98cce66a073a1
Instruction Fuzzy Hash: FE1190716142409FC710DF2AD484A1ABBE5FF85328F14C69DE469CF6A2DB30EC05CB91

Function 008E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,008F4891,?,?,00000035,?), ref: 008E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,008F4891,?,?,00000035,?), ref: 008E37F4

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 312323a96a487ced89d41588f2ccdc1059b98050efe9f6b51336024a470beeb4
Instruction ID: 5e5268195f7dff8b27d5dfec67ca359b85023e6e397074c06a4d367e341c069a
Opcode Fuzzy Hash: 312323a96a487ced89d41588f2ccdc1059b98050efe9f6b51336024a470beeb4
Instruction Fuzzy Hash: 0BF0E5B16052292AEB20176B8C4DFEB3AAEFFC5765F000275F509E3281D9609D04C6B1

Function 008DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008DB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 008DB270

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e9b8688fa0d5fc64f3eb707af6bb28c7838bca7dd271425e1f459a7a86b1bca8
Instruction ID: c08c2f5c8afd52d7317e70df5e97740251da5bf107efd12efeb20a46f88c3ebe
Opcode Fuzzy Hash: e9b8688fa0d5fc64f3eb707af6bb28c7838bca7dd271425e1f459a7a86b1bca8
Instruction Fuzzy Hash: 2EF01D7581424DAFDB059FA0C805BAE7BB4FF04309F00810AF955E6291C37996119F94

Function 008D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D11FC), ref: 008D10D4
CloseHandle.KERNEL32(?,?,008D11FC), ref: 008D10E9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b13b4004178b65742d9920e338617c3c4f803469db5878b7227bda46c750970b
Instruction ID: fe2733f254cf92e79770933e678cba925e0f475acc39eb3ae1abe0cca36936da
Opcode Fuzzy Hash: b13b4004178b65742d9920e338617c3c4f803469db5878b7227bda46c750970b
Instruction Fuzzy Hash: 01E04F72018600EEEB252B15FC09E7377A9FF04310B10892EF5A5C04B1DB626CA0EB10

Function 0087CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008C0C40

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8812a11cfbc1015b1add890319d0d6b4344e82ce89b2073c658395a9a4a2816f
Instruction ID: a91ef9daa8a34843f980f61eedcbf42fe878cefa4ca43cdce5d829ede0349261
Opcode Fuzzy Hash: 8812a11cfbc1015b1add890319d0d6b4344e82ce89b2073c658395a9a4a2816f
Instruction Fuzzy Hash: AF324470904218DBDF14DF94C880BEDBBB5FB05348F24806DE80AEB296DB75EA45DB61

Function 008A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008A6766,?,?,00000008,?,?,008AFEFE,00000000), ref: 008A6998

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8859cbcfd05377ecaec92f21b6b9288aade7c2e514ebfa95a245a7c847de87b6
Instruction ID: 0dc82cec07daad9fca6c2f051884cc6eead1756383c73182bc0797cd5356a647
Opcode Fuzzy Hash: 8859cbcfd05377ecaec92f21b6b9288aade7c2e514ebfa95a245a7c847de87b6
Instruction Fuzzy Hash: D3B16E31510608DFE715CF28C48AB657BE0FF06364F298658E999CF6A5D339E9A1CB40

Function 0088B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008C851F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ed220bdd874db85815af22ad4f2a0f9af121e6cc6c6d343495a783600786e20b
Instruction ID: 899d0dfed7bdabd708ad9e454a523ee20dbf1681fca52b4f72961b46d2d928b0
Opcode Fuzzy Hash: ed220bdd874db85815af22ad4f2a0f9af121e6cc6c6d343495a783600786e20b
Instruction Fuzzy Hash: 14124E71900229DFDB14DF58C881BAEB7F5FF48710F1481AAE849EB255DB709E81CB94

Function 008EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008EEABD

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f48e4831c16cf0c14c7d3ebed7e7e5585abb6d8473e1aa5767b630887b23cee3
Instruction ID: 0ff90fc5b14d26bff8949e925b5f01abc85972ca121a14fb1491eee75be05d55
Opcode Fuzzy Hash: f48e4831c16cf0c14c7d3ebed7e7e5585abb6d8473e1aa5767b630887b23cee3
Instruction Fuzzy Hash: 7FE01A312102149FC710EF6AD804E9AB7E9FFA9764F00842AFC49C7291DBB0E8408B91

Function 008909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008903EE), ref: 008909DA

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f2186fa7556b118037bbaf52851924e4cfa28b9d45be9b495200e82146f2b644
Instruction ID: a671a80208a6119f6cda156b34aaaeca8754292876a4f5d32ea3016fd51647f2
Opcode Fuzzy Hash: f2186fa7556b118037bbaf52851924e4cfa28b9d45be9b495200e82146f2b644
Instruction Fuzzy Hash:

Function 0089781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0089798B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 105b450523e1649301ffa90e137fbbd2545c2f16bb718132ab4ff5bb287f466e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: D951696163C64A9BDF38752C885D7BE2BC5FB12348F1C0539E882E7682C619DE02D35E

Function 008A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d5a8e90960c8f1d2ba8e33c6308e8977bf94e22675592eb2d05fdde4f66e38
Instruction ID: 1b0cba2d3fa15c0dbeba15f5be1d8efd7691bb5841c057fc75cc0625c0f53cec
Opcode Fuzzy Hash: 89d5a8e90960c8f1d2ba8e33c6308e8977bf94e22675592eb2d05fdde4f66e38
Instruction Fuzzy Hash: 8332D022E2DF414DE7239634DC22326A649EFB73C5F15D737E81AB5DA5EB29C483A100

Function 0088CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a039471da09ba94f2fcf04afa7001cb0c6ce103b1bb2b5016f0ddc1e6fb4488
Instruction ID: a5271d885d2b0550bf15e097e8bb1f8ac2663c1a87e9888dfed51afaacd8af1e
Opcode Fuzzy Hash: 2a039471da09ba94f2fcf04afa7001cb0c6ce103b1bb2b5016f0ddc1e6fb4488
Instruction Fuzzy Hash: 07321132A041198BCF28CE29C494F7DBBB2FB45314F28856ED88ECB695D234DD81EB51

Function 00877920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7039b93a23456499c7d084beaab878b4e053b510e73c2f4ec42921b2c16ecc
Instruction ID: 27c35ca02b0a6ceef9c1cfbd93ae8ea88eaef3d44ca4d800402790c176930c7c
Opcode Fuzzy Hash: 1a7039b93a23456499c7d084beaab878b4e053b510e73c2f4ec42921b2c16ecc
Instruction Fuzzy Hash: B522ADB0A0460A9FDF14DFA8C881AEEB7B5FF48314F148529E816E7395EB35E910CB51

Function 008791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc9a8ffe724a659bac68f487add9bfa88ab0fe0ee081fc3c855c90fadebf352
Instruction ID: 685bd8c70cad02d24edb7cb07262983dfdfe3bd63c06b902cf231f36a7a8af5d
Opcode Fuzzy Hash: 0bc9a8ffe724a659bac68f487add9bfa88ab0fe0ee081fc3c855c90fadebf352
Instruction Fuzzy Hash: 9802B5B0A10119EFDB04DF58D881AEEB7B5FF54304F108169E95ADB395EB31EA20CB91

Function 00891C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a074150c2dd5fb59358b569a7ec250fd691d23945d908b4731851ed8eb43c215
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 4691667220D0A34ADF2D563A857C03EFFE1EA923A535E079DD4F2CA1C5EE24D954D620

Function 008919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a340619519cbb46b2fa361b0810d7d85faf80f03e968c65e90b42354c0bab351
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1891327220D0A34EDF69567A857C03DFFE1EA923B635E079ED4F2CA1C1FE2489549620

Function 00897A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88912d78f17b9f7e76a7e7888c5e540673094bc27063998412c1867103ad44f
Instruction ID: f91c3c07ee2af0abcd856d2d7e404d97143fd8be0754761141577203fe9e8c7a
Opcode Fuzzy Hash: c88912d78f17b9f7e76a7e7888c5e540673094bc27063998412c1867103ad44f
Instruction Fuzzy Hash: 2761897133871A96DE38BA2C8C95BBE23D5FF42768F1C091AE943DB281D6119E42C356

Function 00897CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d44300341ae8107b29ad537ea03f0fe37ad3e27bb54be6a3212d7755711ef
Instruction ID: 2ae9cd3516b8a21a1cbb27b87475cb178e3065e9e9464a80a4934eccf0bf9820
Opcode Fuzzy Hash: d03d44300341ae8107b29ad537ea03f0fe37ad3e27bb54be6a3212d7755711ef
Instruction Fuzzy Hash: 0D61697173C70997DE387A2C8855BBF2394FF42B08F1C0959E943DB685EA12AD428356

Function 00891706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 77bcab7ab5f2550ddafc6b94928308da9144f2564d37e161bfa6986ace8766b8
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 6081737260C0A309DF6D527A857C03EFFE1FA923A135E07ADD4F2CA1C5EE248554E620

Function 008E2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105625d196adb4cacc2b8cf326e0780631eaf0d45eebb35ffc3e5cf000b08b56
Instruction ID: 6993a225497bb729d2b222709f5de7219772f2010995d7905d0f5705717935d9
Opcode Fuzzy Hash: 105625d196adb4cacc2b8cf326e0780631eaf0d45eebb35ffc3e5cf000b08b56
Instruction Fuzzy Hash: 1C21A8326206158BD728CF79C81267A73E9F755310F55862EE4A7C37D0DE35A904DB80

Function 008F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008F2B30
DeleteObject.GDI32(00000000), ref: 008F2B43
DestroyWindow.USER32 ref: 008F2B52
GetDesktopWindow.USER32 ref: 008F2B6D
GetWindowRect.USER32(00000000), ref: 008F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 008F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 008F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2CF8
GetClientRect.USER32(00000000,?), ref: 008F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D80
GlobalLock.KERNEL32(00000000), ref: 008F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D98
GlobalUnlock.KERNEL32(00000000), ref: 008F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2DA8
GlobalFree.KERNEL32(00000000), ref: 008F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0090FC38,00000000), ref: 008F2DDB
GlobalFree.KERNEL32(00000000), ref: 008F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 008F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 008F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F303F

Strings

DISPLAY, xrefs: 008F2EA2
, xrefs: 008F2FC5
AutoIt v3, xrefs: 008F2CF2
static, xrefs: 008F2D3A, 008F2E91

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aad809456f245fd59cd0b13bc4ee62ff8417c3132265e841d57eaf39b6a76426
Instruction ID: 276de968b6450524c39d4666502bd9f60418d6521995a36295bf0aec4526aad7
Opcode Fuzzy Hash: aad809456f245fd59cd0b13bc4ee62ff8417c3132265e841d57eaf39b6a76426
Instruction Fuzzy Hash: F9026BB5510209AFDB14DF68CC89EAE7BB9FB49714F108218F915EB2A1CB70ED01DB60

Function 009070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0090712F
GetSysColorBrush.USER32(0000000F), ref: 00907160
GetSysColor.USER32(0000000F), ref: 0090716C
SetBkColor.GDI32(?,000000FF), ref: 00907186
SelectObject.GDI32(?,?), ref: 00907195
InflateRect.USER32(?,000000FF,000000FF), ref: 009071C0
GetSysColor.USER32(00000010), ref: 009071C8
CreateSolidBrush.GDI32(00000000), ref: 009071CF
FrameRect.USER32(?,?,00000000), ref: 009071DE
DeleteObject.GDI32(00000000), ref: 009071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00907230
FillRect.USER32(?,?,?), ref: 00907262
GetWindowLongW.USER32(?,000000F0), ref: 00907284

Part of subcall function 009073E8: GetSysColor.USER32(00000012), ref: 00907421
Part of subcall function 009073E8: SetTextColor.GDI32(?,?), ref: 00907425
Part of subcall function 009073E8: GetSysColorBrush.USER32(0000000F), ref: 0090743B
Part of subcall function 009073E8: GetSysColor.USER32(0000000F), ref: 00907446
Part of subcall function 009073E8: GetSysColor.USER32(00000011), ref: 00907463
Part of subcall function 009073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00907471
Part of subcall function 009073E8: SelectObject.GDI32(?,00000000), ref: 00907482
Part of subcall function 009073E8: SetBkColor.GDI32(?,00000000), ref: 0090748B
Part of subcall function 009073E8: SelectObject.GDI32(?,?), ref: 00907498
Part of subcall function 009073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009074B7
Part of subcall function 009073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009074CE
Part of subcall function 009073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009074DB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a979cf2cf5ff58d258f104d821888c77e5f05adabc01909ea3412729586754ed
Instruction ID: f152102da4dba74fe6677f13227c15cbd1bf4ff6ef63ced6ceddf38adbdb9f4c
Opcode Fuzzy Hash: a979cf2cf5ff58d258f104d821888c77e5f05adabc01909ea3412729586754ed
Instruction Fuzzy Hash: E4A19EB241C301AFDB109FA4DC48A6BBBA9FF89331F100B19F962961E1D735E944DB51

Function 00888D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00888E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 008C6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008C6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008C6F43

Part of subcall function 00888F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00888BE8,?,00000000,?,?,?,?,00888BBA,00000000,?), ref: 00888FC5

SendMessageW.USER32(?,00001053), ref: 008C6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008C6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 008C6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 008C6FB7

Strings

0, xrefs: 008C6DCF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5569efb5bada4b54b71392b7c0011f39088d2a7341fd96c28738300106c813d9
Instruction ID: fa5796f59edb7375e824bda5f97e1e27d56ca697ac0cdd8449315358b93196f5
Opcode Fuzzy Hash: 5569efb5bada4b54b71392b7c0011f39088d2a7341fd96c28738300106c813d9
Instruction Fuzzy Hash: CA128834208201EFDB25DF28D884FAAB7B1FB49310F54456DF585CB261DB32E8A2DB91

Function 008F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 008F2900
GetClientRect.USER32(00000000,?), ref: 008F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 008F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008F2964
GetStockObject.GDI32(00000011), ref: 008F2974
SelectObject.GDI32(00000000,00000000), ref: 008F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 008F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F2991
DeleteDC.GDI32(00000000), ref: 008F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 008F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 008F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 008F2A77
GetStockObject.GDI32(00000011), ref: 008F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 008F2A97

Strings

DISPLAY, xrefs: 008F295A
AutoIt v3, xrefs: 008F28F8
static, xrefs: 008F294F, 008F2A71
msctls_progress32, xrefs: 008F2A13

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b3b1ff1df70eebab397c6c6e9fed0e7712d7d56bf8c287a6599ffca6a1956c75
Instruction ID: 4f69484e124941d7f45cacb02607f708f5202ac6e95f9417cd98e0dd916ab534
Opcode Fuzzy Hash: b3b1ff1df70eebab397c6c6e9fed0e7712d7d56bf8c287a6599ffca6a1956c75
Instruction Fuzzy Hash: D7B15CB5A50219AFEB14DFA8CC49FAE7BA9FB49710F108214FA14E7290D770ED40DB90

Function 008E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E4AED
GetDriveTypeW.KERNEL32(?,0090CB68,?,\\.\,0090CC08), ref: 008E4BCA
SetErrorMode.KERNEL32(00000000,0090CB68,?,\\.\,0090CC08), ref: 008E4D36

Strings

FileBackedVirtual, xrefs: 008E4CEC
ATA, xrefs: 008E4C98
iSCSI, xrefs: 008E4CC2
PhysicalDrive, xrefs: 008E4B76
Fibre, xrefs: 008E4CAD
RAID, xrefs: 008E4CBB
CDROM, xrefs: 008E4BFB
SCSI, xrefs: 008E4C8A
\\.\, xrefs: 008E4B3F
Unknown, xrefs: 008E4BED, 008E4C83
MMC, xrefs: 008E4CDE
1394, xrefs: 008E4C9F
Network, xrefs: 008E4C02
SSD, xrefs: 008E4C4A
Fixed, xrefs: 008E4C09
SAS, xrefs: 008E4CC9
ATAPI, xrefs: 008E4C91
RAMDisk, xrefs: 008E4BF4
SATA, xrefs: 008E4CD0
Removable, xrefs: 008E4C10, 008E4C15
Virtual, xrefs: 008E4CE5
USB, xrefs: 008E4CB4
SSA, xrefs: 008E4CA6

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 05adb2026b2b799f6197f95cc35f2ca2fdd40bbee3a7095f4d0acf0e3de64836
Instruction ID: 49996e6f81d96703908c1d8150ad63584f20e0c3dd71e98db69a2c10db0d5388
Opcode Fuzzy Hash: 05adb2026b2b799f6197f95cc35f2ca2fdd40bbee3a7095f4d0acf0e3de64836
Instruction Fuzzy Hash: 9F619030609249ABCB14DF29C98296977F1FB86308F34E015F80EEB691DB35ED41DB52

Function 009073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00907421
SetTextColor.GDI32(?,?), ref: 00907425
GetSysColorBrush.USER32(0000000F), ref: 0090743B
GetSysColor.USER32(0000000F), ref: 00907446
CreateSolidBrush.GDI32(?), ref: 0090744B
GetSysColor.USER32(00000011), ref: 00907463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00907471
SelectObject.GDI32(?,00000000), ref: 00907482
SetBkColor.GDI32(?,00000000), ref: 0090748B
SelectObject.GDI32(?,?), ref: 00907498
InflateRect.USER32(?,000000FF,000000FF), ref: 009074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00907554
InflateRect.USER32(?,000000FD,000000FD), ref: 00907572
DrawFocusRect.USER32(?,?), ref: 0090757D
GetSysColor.USER32(00000011), ref: 0090758E
SetTextColor.GDI32(?,00000000), ref: 00907596
DrawTextW.USER32(?,009070F5,000000FF,?,00000000), ref: 009075A8
SelectObject.GDI32(?,?), ref: 009075BF
DeleteObject.GDI32(?), ref: 009075CA
SelectObject.GDI32(?,?), ref: 009075D0
DeleteObject.GDI32(?), ref: 009075D5
SetTextColor.GDI32(?,?), ref: 009075DB
SetBkColor.GDI32(?,?), ref: 009075E5

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 795f5513566ff4de31de18a40b42a49631f2fea2a023cc32495e789b575df11e
Instruction ID: d69b70b8f7ae0462a1c6196eeb87db4c7de145aa5c27d0e84976cccea9c2dcee
Opcode Fuzzy Hash: 795f5513566ff4de31de18a40b42a49631f2fea2a023cc32495e789b575df11e
Instruction Fuzzy Hash: 10616276D08218AFDF019FA4DC49AEEBF79EB09320F104215F911AB2E1D775A940DB90

Function 00900FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00901128
GetDesktopWindow.USER32 ref: 0090113D
GetWindowRect.USER32(00000000), ref: 00901144
GetWindowLongW.USER32(?,000000F0), ref: 00901199
DestroyWindow.USER32(?), ref: 009011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0090121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00901232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00901245
IsWindowVisible.USER32(00000000), ref: 009012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009012D0
GetWindowRect.USER32(00000000,?), ref: 009012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0090130E
GetMonitorInfoW.USER32(00000000,?), ref: 00901328
CopyRect.USER32(?,?), ref: 0090133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009013AA

Strings

(, xrefs: 0090131B
tooltips_class32, xrefs: 009011E6
0, xrefs: 009010D3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d1ef8fc518506cb8d3005e1786ced8cc654eb6b517675aefce51b006265b5bbe
Instruction ID: 60dc96cab401728080d8681f473ab7e143f948d7cd0b9fa37bcf60ecf615025b
Opcode Fuzzy Hash: d1ef8fc518506cb8d3005e1786ced8cc654eb6b517675aefce51b006265b5bbe
Instruction Fuzzy Hash: B5B17C71608341AFD714DF68C884B6ABBE8FF84754F00891DF999DB2A1CB71E845CB92

Function 00900241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009002E5
_wcslen.LIBCMT ref: 0090031F
_wcslen.LIBCMT ref: 00900389
_wcslen.LIBCMT ref: 009003F1
_wcslen.LIBCMT ref: 00900475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00900504

Part of subcall function 0088F9F2: _wcslen.LIBCMT ref: 0088F9FD

Part of subcall function 008D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D2258
Part of subcall function 008D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D228A

Strings

VIEWCHANGE, xrefs: 00900675
SELECTALL, xrefs: 00900515
SELECTINVERT, xrefs: 0090057E
GETITEMCOUNT, xrefs: 00900316, 00900337
SELECTCLEAR, xrefs: 0090052D
GETSELECTED, xrefs: 009005E1
GETSUBITEMCOUNT, xrefs: 00900384, 0090039F
ISSELECTED, xrefs: 009004DD
GETTEXT, xrefs: 009003EC, 00900407
SELECT, xrefs: 00900548
FINDITEM, xrefs: 00900627
GETSELECTEDCOUNT, xrefs: 00900470, 0090048B
DESELECT, xrefs: 0090059C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f7aa96fc1e1b79f71f48af20ca3aad146177d093b3d60ac5b8e948bc5bbd0b2a
Instruction ID: 5590849f486f15c63c1666ccf1f6cbeeee5673565f78c8a9ea4dc5b5ba7c0bce
Opcode Fuzzy Hash: f7aa96fc1e1b79f71f48af20ca3aad146177d093b3d60ac5b8e948bc5bbd0b2a
Instruction Fuzzy Hash: 9EE17C312082018FC724DF28C951A2AB7E6FFD8714F148A5DF89A9B3A5DB31ED45CB52

Function 00888891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00888968
GetSystemMetrics.USER32(00000007), ref: 00888970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0088899B
GetSystemMetrics.USER32(00000008), ref: 008889A3
GetSystemMetrics.USER32(00000004), ref: 008889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00888A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00888A3C
GetClientRect.USER32(00000000,000000FF), ref: 00888A5A
GetStockObject.GDI32(00000011), ref: 00888A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00888A81

Part of subcall function 0088912D: GetCursorPos.USER32(?), ref: 00889141
Part of subcall function 0088912D: ScreenToClient.USER32(00000000,?), ref: 0088915E
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000001), ref: 00889183
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000002), ref: 0088919D

SetTimer.USER32(00000000,00000000,00000028,008890FC), ref: 00888AA8

Strings

AutoIt v3 GUI, xrefs: 00888A20

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4ce194bffa2af945f29a0d9a7523e96a17fa1b6091bc0caa31574c9c5f8d4282
Instruction ID: 7f8fad257259a88269d16fd6917e85a8f2bb579c297b2c090197105a2d7ec0b3
Opcode Fuzzy Hash: 4ce194bffa2af945f29a0d9a7523e96a17fa1b6091bc0caa31574c9c5f8d4282
Instruction Fuzzy Hash: 7DB16775A1420AEFDB14EFA8DC85FAA3BB5FB48314F104229FA15E7290DB34E840DB51

Function 008D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D1114
Part of subcall function 008D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1120
Part of subcall function 008D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D112F
Part of subcall function 008D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1136
Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D0E29
GetLengthSid.ADVAPI32(?), ref: 008D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D0E96
GetLengthSid.ADVAPI32(?), ref: 008D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008D0EB5
HeapAlloc.KERNEL32(00000000), ref: 008D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D0EDD
CopySid.ADVAPI32(00000000), ref: 008D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0F6E
HeapFree.KERNEL32(00000000), ref: 008D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0F7E
HeapFree.KERNEL32(00000000), ref: 008D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0F8E
HeapFree.KERNEL32(00000000), ref: 008D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008D0FA1
HeapFree.KERNEL32(00000000), ref: 008D0FA8

Part of subcall function 008D1193: GetProcessHeap.KERNEL32(00000008,008D0BB1,?,00000000,?,008D0BB1,?), ref: 008D11A1
Part of subcall function 008D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008D0BB1,?), ref: 008D11A8
Part of subcall function 008D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008D0BB1,?), ref: 008D11B7

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a1895e1a30a90a5a011c396e8325ee78300ba7c95ee12793ab7e1a1d6347b992
Instruction ID: 151e03d17dc7517e895989ee18b5ad10913183cf4c2e32bab5ac2a5f1169d660
Opcode Fuzzy Hash: a1895e1a30a90a5a011c396e8325ee78300ba7c95ee12793ab7e1a1d6347b992
Instruction Fuzzy Hash: 4E714AB290420AAFDF209FA5DC48BEEBBB8FF04310F144216F959E6291DB719905DF60

Function 008FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0090CC08,00000000,?,00000000,?,?), ref: 008FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008FC5A4
_wcslen.LIBCMT ref: 008FC5F4
_wcslen.LIBCMT ref: 008FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 008FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008FC84D
RegCloseKey.ADVAPI32(?), ref: 008FC881
RegCloseKey.ADVAPI32(00000000), ref: 008FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008FC960

Strings

REG_MULTI_SZ, xrefs: 008FC6F5
REG_QWORD, xrefs: 008FC8C3
REG_BINARY, xrefs: 008FC913
REG_SZ, xrefs: 008FC644
REG_EXPAND_SZ, xrefs: 008FC5CD
REG_DWORD, xrefs: 008FC804

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ee94fc21218feed68d3c7e1b5d4787c1b638e40095652486188a270366011b53
Instruction ID: 273c3c05090b5a94c870b4d99416c357c9691ac358cca2851d8d091433cf52e5
Opcode Fuzzy Hash: ee94fc21218feed68d3c7e1b5d4787c1b638e40095652486188a270366011b53
Instruction Fuzzy Hash: 4B1256756042059FDB14DF28C981A2AB7E5FF88714F14885CF99ADB3A2DB31ED41CB82

Function 0090091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009009C6
_wcslen.LIBCMT ref: 00900A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00900A54
_wcslen.LIBCMT ref: 00900A8A
_wcslen.LIBCMT ref: 00900B06
_wcslen.LIBCMT ref: 00900B81

Part of subcall function 0088F9F2: _wcslen.LIBCMT ref: 0088F9FD

Part of subcall function 008D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008D2BFA

Strings

ISCHECKED, xrefs: 00900CE1
COLLAPSE, xrefs: 00900B01, 00900B1C
EXPAND, xrefs: 00900BF8
UNCHECK, xrefs: 00900D3E
GETTEXT, xrefs: 00900C97
SELECT, xrefs: 00900D11
GETITEMCOUNT, xrefs: 00900C1E
CHECK, xrefs: 00900A85, 00900AA0
EXISTS, xrefs: 00900B7C, 00900B97
GETTOTALCOUNT, xrefs: 009009F2, 00900A17
GETSELECTED, xrefs: 00900C4E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: a284d5de7ccb54fa6f04457bd70d6b5b6e9408ce10fe041b3a679096bd6e3562
Instruction ID: 987cb2afa442a6a7bbbf4873b5fd7e36a4531ffe856ee74bce2b51795744df92
Opcode Fuzzy Hash: a284d5de7ccb54fa6f04457bd70d6b5b6e9408ce10fe041b3a679096bd6e3562
Instruction Fuzzy Hash: 75E138712087019FCB14DF28C450A2AB7E5FFD9314F148959F89A9B3A2DB31ED45CB92

Function 008FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
_wcslen.LIBCMT ref: 008FC9F1
_wcslen.LIBCMT ref: 008FCA68
_wcslen.LIBCMT ref: 008FCA9E
_wcslen.LIBCMT ref: 008FCAF9
_wcslen.LIBCMT ref: 008FCB2F
_wcslen.LIBCMT ref: 008FCB7F

Strings

HKU, xrefs: 008FCBF0
HKEY_CLASSES_ROOT, xrefs: 008FCAF3, 008FCAF8
HKCC, xrefs: 008FCBAC
HKEY_CURRENT_USER, xrefs: 008FCBBD
HKLM, xrefs: 008FCA98, 008FCA9D
HKCU, xrefs: 008FCBCE
HKCR, xrefs: 008FCB29, 008FCB2E
HKEY_CURRENT_CONFIG, xrefs: 008FCB79, 008FCB7E
HKEY_USERS, xrefs: 008FCBDF
HKEY_LOCAL_MACHINE, xrefs: 008FCA62, 008FCA67

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3c57791cff102df5a324cf988e88b46894dcc392e3157ffa8f5bef897160b787
Instruction ID: 3541037993a63915a3a670af827ac7d81d9098073e3da11e7ba609822b9c3b31
Opcode Fuzzy Hash: 3c57791cff102df5a324cf988e88b46894dcc392e3157ffa8f5bef897160b787
Instruction Fuzzy Hash: 8171D07260012E8BCB20DE7CCE519BA3791FFA0764F250528FA56E7285EA31DF4587A1

Function 0090833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090835A
_wcslen.LIBCMT ref: 0090836E
_wcslen.LIBCMT ref: 00908391
_wcslen.LIBCMT ref: 009083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00905BF2), ref: 0090844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00908487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00908501
FreeLibrary.KERNEL32(?), ref: 0090850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090851D
DestroyIcon.USER32(?,?,?,?,?,00905BF2), ref: 0090852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00908549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00908555

Strings

.dll, xrefs: 009083AB
.icl, xrefs: 00908368
.exe, xrefs: 00908388

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 2485f32a355216124ee46851ee8ce329364a86d25c591c81b003782fbc5f8d04
Instruction ID: 3a541b519e0f96f20461c26bc3ad38b51608b0441b927ebd7f5d97c1e657f6fa
Opcode Fuzzy Hash: 2485f32a355216124ee46851ee8ce329364a86d25c591c81b003782fbc5f8d04
Instruction Fuzzy Hash: 4D61ADB1614219BEEB249F64CC81BBF7BACFB04B21F104649F855D61E1DB74A980DBA0

Function 00877778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 008B519A
Cannot parse #include, xrefs: 008B5279
", xrefs: 008B5153
#notrayicon, xrefs: 008777E7
#OnAutoItStartRegister, xrefs: 00877817
#comments-start, xrefs: 0087785F, 008778B1
#include-once, xrefs: 0087782F
#include, xrefs: 00877847
#cs, xrefs: 00877873, 008778C5
#requireadmin, xrefs: 008777FF
#comments-end, xrefs: 008778D9
#ce, xrefs: 008778ED
Unterminated group of comments, xrefs: 008B528C
#pragma compile, xrefs: 008777D3
', xrefs: 008B5169

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f7a467b68d1193cfbd2a9061667359ad7e3e59bfbd9787ce9085d5a08d1de5b0
Instruction ID: 6f26da8caa28f74656ed853a65bc7b8fbc5f53a55c9fc305f7cba849166e089a
Opcode Fuzzy Hash: f7a467b68d1193cfbd2a9061667359ad7e3e59bfbd9787ce9085d5a08d1de5b0
Instruction Fuzzy Hash: 0B81F971604205BFDB25BF68CC92FAE3768FF55344F048024F909EA29AEB70DA51D792

Function 008D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008D5A40
SetWindowTextW.USER32(?,?), ref: 008D5A57
GetDlgItem.USER32(?,000003EA), ref: 008D5A6C
SetWindowTextW.USER32(00000000,?), ref: 008D5A72
GetDlgItem.USER32(?,000003E9), ref: 008D5A82
SetWindowTextW.USER32(00000000,?), ref: 008D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008D5AC3
GetWindowRect.USER32(?,?), ref: 008D5ACC
_wcslen.LIBCMT ref: 008D5B33
SetWindowTextW.USER32(?,?), ref: 008D5B6F
GetDesktopWindow.USER32 ref: 008D5B75
GetWindowRect.USER32(00000000), ref: 008D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008D5BD3
GetClientRect.USER32(?,?), ref: 008D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008D5C2F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3a259d916faaae942bc2eea08908321fffd138be7cfdec8a7a57448e66a53e07
Instruction ID: af21d30057abdbeeed54ab89ccf5223eee542544d6d352a27e7b7cf7c1594eba
Opcode Fuzzy Hash: 3a259d916faaae942bc2eea08908321fffd138be7cfdec8a7a57448e66a53e07
Instruction Fuzzy Hash: D9717E71900B09AFDB20DFA8CE85A6EBBF5FF48714F104A1AE142E26A0D775E940DB50

Function 008900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008900C6

Part of subcall function 008900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0094070C,00000FA0,BF9A5D26,?,?,?,?,008B23B3,000000FF), ref: 0089011C
Part of subcall function 008900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008B23B3,000000FF), ref: 00890127
Part of subcall function 008900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008B23B3,000000FF), ref: 00890138
Part of subcall function 008900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0089014E
Part of subcall function 008900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0089015C
Part of subcall function 008900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0089016A
Part of subcall function 008900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00890195
Part of subcall function 008900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008901A0

___scrt_fastfail.LIBCMT ref: 008900E7

Part of subcall function 008900A3: __onexit.LIBCMT ref: 008900A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00890122
SleepConditionVariableCS, xrefs: 00890154
InitializeConditionVariable, xrefs: 00890148
WakeAllConditionVariable, xrefs: 00890162
kernel32.dll, xrefs: 00890133

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e4c83bc3f7d09a78ff8c0be29c37afb57887b41ecc245cee9952effa1859f2a2
Instruction ID: 84466dd44e6f615d62cc28bb9e5cca271525be9cb11a153009fdc564f238ac03
Opcode Fuzzy Hash: e4c83bc3f7d09a78ff8c0be29c37afb57887b41ecc245cee9952effa1859f2a2
Instruction Fuzzy Hash: 15210B7265D710AFDB207BA4AC09F6A37D4FB85B55F04023AF901E76D1DB749C009E91

Function 008D30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D318D
_wcslen.LIBCMT ref: 008D31F8

Strings

REGEXPCLASS, xrefs: 008D3255, 008D3266
INSTANCE, xrefs: 008D3453
TEXT, xrefs: 008D347C
CLASS, xrefs: 008D3188, 008D31A5
CLASSNN, xrefs: 008D31F3, 008D3204
NAME, xrefs: 008D3335, 008D3346

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f2998ec80bf3ec417e3da645d15f7290c535f6475325b976b9c884a1fb0b34f9
Instruction ID: 6f6b883c605cc231bf5f1db66734551ea28ba24af45dbfe6e8fee32329e4c371
Opcode Fuzzy Hash: f2998ec80bf3ec417e3da645d15f7290c535f6475325b976b9c884a1fb0b34f9
Instruction Fuzzy Hash: 91E1E732A00616ABCF189F68C451AEDFBB1FF54714F14832AE456F7340DB30AE458B92

Function 008E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0090CC08), ref: 008E4527
_wcslen.LIBCMT ref: 008E453B
_wcslen.LIBCMT ref: 008E4599
_wcslen.LIBCMT ref: 008E45F4
_wcslen.LIBCMT ref: 008E463F
_wcslen.LIBCMT ref: 008E46A7

Part of subcall function 0088F9F2: _wcslen.LIBCMT ref: 0088F9FD

GetDriveTypeW.KERNEL32(?,00936BF0,00000061), ref: 008E4743

Strings

ramdisk, xrefs: 008E46F1
all, xrefs: 008E4531, 008E4536
unknown, xrefs: 008E4708
cdrom, xrefs: 008E458F, 008E4594
network, xrefs: 008E469D, 008E46A2
removable, xrefs: 008E45EA, 008E45EF
fixed, xrefs: 008E4635, 008E463A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7bb8991fbc57161b91a4a1d51bbe2c69c7c78c3e23ca271c591f542b86acc78b
Instruction ID: 4ef330531ea0f8f72ccf1b4035642707e7385dd017871a1c06f5a8814eb90071
Opcode Fuzzy Hash: 7bb8991fbc57161b91a4a1d51bbe2c69c7c78c3e23ca271c591f542b86acc78b
Instruction Fuzzy Hash: 8DB1F3716083429FC710DF2AC890A6EB7E5FFA6724F50992DF49AC72A1D730D845CB92

Function 0087326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00941990), ref: 008B2F8D
GetMenuItemCount.USER32(00941990), ref: 008B303D
GetCursorPos.USER32(?), ref: 008B3081
SetForegroundWindow.USER32(00000000), ref: 008B308A
TrackPopupMenuEx.USER32(00941990,00000000,?,00000000,00000000,00000000), ref: 008B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008B30A9

Strings

0, xrefs: 0087327D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 838d31bbcbc31d49ccc77d3b4dfda258e6478288de6b8aa7f521392387a58143
Instruction ID: dbc1a6d593331c07449b51c3f08000056ee058533554282f446c503585c6ba6e
Opcode Fuzzy Hash: 838d31bbcbc31d49ccc77d3b4dfda258e6478288de6b8aa7f521392387a58143
Instruction Fuzzy Hash: 1971F770644205BEEB359F29CC49FEABF64FF05364F204216F528E62E1C7B1A910E751

Function 00906CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00906DEB

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00906E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00906E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00906E94
DestroyWindow.USER32(?), ref: 00906EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00870000,00000000), ref: 00906EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00906EFD
GetDesktopWindow.USER32 ref: 00906F16
GetWindowRect.USER32(00000000), ref: 00906F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00906F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00906F4D

Part of subcall function 00889944: GetWindowLongW.USER32(?,000000EB), ref: 00889952

Strings

tooltips_class32, xrefs: 00906E58, 00906EDD
0, xrefs: 00906D98

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 039d583aeb0261872f021a749fc8bec84a76dd2e417df58bf1937a394c6f90c4
Instruction ID: b60aead9fd6cbc00c24cf0408c2bf3cd78e5a5a80c24cd680b7591c45d902b7c
Opcode Fuzzy Hash: 039d583aeb0261872f021a749fc8bec84a76dd2e417df58bf1937a394c6f90c4
Instruction Fuzzy Hash: 267169B4108345AFDB21CF18DC44EAABBE9FB89304F04491DFA99C72A1C771E956DB12

Function 0090911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

DragQueryPoint.SHELL32(?,?), ref: 00909147

Part of subcall function 00907674: ClientToScreen.USER32(?,?), ref: 0090769A
Part of subcall function 00907674: GetWindowRect.USER32(?,?), ref: 00907710
Part of subcall function 00907674: PtInRect.USER32(?,?,00908B89), ref: 00907720

SendMessageW.USER32(?,000000B0,?,?), ref: 009091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00909225
SendMessageW.USER32(?,000000B0,?,?), ref: 0090923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00909255
SendMessageW.USER32(?,000000B1,?,?), ref: 00909277
DragFinish.SHELL32(?), ref: 0090927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00909371

Strings

@GUI_DROPID, xrefs: 0090929E
@GUI_DRAGFILE, xrefs: 00909320
@GUI_DRAGID, xrefs: 009092E9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 3aac6adde26f79a993797f7894759e5ecda8961356dacc00c4c3526e55ff086f
Instruction ID: a51ec12a84ad15266634f4880a5168274414c2bb34cd2777f70bc94a76e9cc82
Opcode Fuzzy Hash: 3aac6adde26f79a993797f7894759e5ecda8961356dacc00c4c3526e55ff086f
Instruction Fuzzy Hash: 88615671108301AFC715EF64DC85DAFBBE8FBC9750F004A2EF5A5921A1DB309A49CB52

Function 008EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008EC5F0
InternetCloseHandle.WININET(00000000), ref: 008EC5FB

Strings

, xrefs: 008EC575

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d3428389f579f3ff4f2462bc4ecbb01a877f11341450b3317be0dab36f813bde
Instruction ID: 185c9d2a7c5c34e4675baeff887267909428d1a593ae0a9b5097aef96bee6e16
Opcode Fuzzy Hash: d3428389f579f3ff4f2462bc4ecbb01a877f11341450b3317be0dab36f813bde
Instruction Fuzzy Hash: 3A518CB0904349BFDB219F66C988AAB7BFCFF0A344F00451AF946D6250DB30E945EB60

Function 0090856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00908592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085BA
GlobalLock.KERNEL32(00000000), ref: 009085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085D7
GlobalUnlock.KERNEL32(00000000), ref: 009085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0090FC38,?), ref: 00908611
GlobalFree.KERNEL32(00000000), ref: 00908621
GetObjectW.GDI32(?,00000018,?), ref: 00908641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00908671
DeleteObject.GDI32(?), ref: 00908699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009086AF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7608e67a0353bde0c70d8df6654b44a9128662c198046cf90a494740ead80d2c
Instruction ID: fa843e2b77badd23fb73352123aeb272d4b291272f99430d45f4464ffa9f909a
Opcode Fuzzy Hash: 7608e67a0353bde0c70d8df6654b44a9128662c198046cf90a494740ead80d2c
Instruction Fuzzy Hash: CD4149B1610204EFDB119FA9CC88EAB7BBCFF89B11F108158F955E72A0DB319901DB20

Function 008E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 008E1502
VariantCopy.OLEAUT32(?,?), ref: 008E150B
VariantClear.OLEAUT32(?), ref: 008E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 008E1657
VariantInit.OLEAUT32(?), ref: 008E1708
SysFreeString.OLEAUT32(?), ref: 008E178C
VariantClear.OLEAUT32(?), ref: 008E17D8
VariantClear.OLEAUT32(?), ref: 008E17E7
VariantInit.OLEAUT32(00000000), ref: 008E1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 008E1625
Default, xrefs: 008E16AF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: f4b2d9ceb5de27052c7155e0ccea85c7046bd510fa69bcd75f268f822dec3f7d
Instruction ID: f7fdad4860e7ef7a2b1b646b1b900d7f4f484d5734276fae3a7b30cff3dd54d6
Opcode Fuzzy Hash: f4b2d9ceb5de27052c7155e0ccea85c7046bd510fa69bcd75f268f822dec3f7d
Instruction Fuzzy Hash: 2BD1F171A00149EBDF00AF6AD889BBDB7B5FF46704F10815AE946EB195DB30DC40DB52

Function 008FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FC9F1
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA68
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 008FB80A
RegCloseKey.ADVAPI32(?), ref: 008FB87E
RegCloseKey.ADVAPI32(?), ref: 008FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 008FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 008FB922
FreeLibrary.KERNEL32(00000000), ref: 008FB983
RegCloseKey.ADVAPI32(00000000), ref: 008FB994

Strings

RegDeleteKeyExW, xrefs: 008FB8FE
advapi32.dll, xrefs: 008FB8ED

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ae71f32d08e46b4752874473c9c0aca14ec43e925091b97ede8b51c200f88e14
Instruction ID: a43c992291bbe9a5e9c646090ab454f7ae597c5e6f4c781e86aa87c257811d0d
Opcode Fuzzy Hash: ae71f32d08e46b4752874473c9c0aca14ec43e925091b97ede8b51c200f88e14
Instruction Fuzzy Hash: BEC19C30208205AFD714DF28C495F2ABBE5FF85318F14855CF69A8B2A2CB71ED45CB92

Function 008F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008F25E8
CreateCompatibleDC.GDI32(?), ref: 008F25F4
SelectObject.GDI32(00000000,?), ref: 008F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 008F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008F26D0
SelectObject.GDI32(?,?), ref: 008F26D8
DeleteObject.GDI32(?), ref: 008F26E1
DeleteDC.GDI32(?), ref: 008F26E8
ReleaseDC.USER32(00000000,?), ref: 008F26F3

Strings

(, xrefs: 008F268D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8f96da0b533f458aed04a725b8fd9259853984198198c81a405c3d3c24610b08
Instruction ID: 6446f719fd504e21d7e6f82496fcec41ecd77c53fff5e6cd2973663cff446388
Opcode Fuzzy Hash: 8f96da0b533f458aed04a725b8fd9259853984198198c81a405c3d3c24610b08
Instruction Fuzzy Hash: 6A61F2B5D04219EFCF04CFA8D884AAEBBB5FF48310F208529EA55E7250D774A951DFA0

Function 008ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008ADAA1

Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD659
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD66B
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD67D
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD68F
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6A1
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6B3
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6C5
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6D7
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6E9
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6FB
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD70D
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD71F
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD731

_free.LIBCMT ref: 008ADA96

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008ADAB8
_free.LIBCMT ref: 008ADACD
_free.LIBCMT ref: 008ADAD8
_free.LIBCMT ref: 008ADAFA
_free.LIBCMT ref: 008ADB0D
_free.LIBCMT ref: 008ADB1B
_free.LIBCMT ref: 008ADB26
_free.LIBCMT ref: 008ADB5E
_free.LIBCMT ref: 008ADB65
_free.LIBCMT ref: 008ADB82
_free.LIBCMT ref: 008ADB9A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c66779002743edda088f4ee6c70ca7b1605299b5c5abde62bc55d7907a66f930
Instruction ID: 60d63b7e9569ed2a10bb0115fe4a299bb5f5be75133ba7d1d5dfc175defe9305
Opcode Fuzzy Hash: c66779002743edda088f4ee6c70ca7b1605299b5c5abde62bc55d7907a66f930
Instruction Fuzzy Hash: 3A3159326047049FFB71AA3CE845B5B7BE8FF02720F154419E54AD7D91DA30AC418B22

Function 008D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008D369C
_wcslen.LIBCMT ref: 008D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008D3797
GetClassNameW.USER32(?,?,00000400), ref: 008D380C
GetDlgCtrlID.USER32(?), ref: 008D385D
GetWindowRect.USER32(?,?), ref: 008D3882
GetParent.USER32(?), ref: 008D38A0
ScreenToClient.USER32(00000000), ref: 008D38A7
GetClassNameW.USER32(?,?,00000100), ref: 008D3921
GetWindowTextW.USER32(?,?,00000400), ref: 008D395D

Strings

%s%u, xrefs: 008D3734

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: cf5efab856eaf07a76905a04efea1c8c550b72016369838a3cd91e8c2779c410
Instruction ID: 581956f62ebd944450536b2e45a2ba8b0a3a6dc84283f6090e0db4fb27c0fb8b
Opcode Fuzzy Hash: cf5efab856eaf07a76905a04efea1c8c550b72016369838a3cd91e8c2779c410
Instruction Fuzzy Hash: 2291C471204606BFD719DF64C895FAAF7A8FF44354F00872AF999D2290DB30EA45CB92

Function 008D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008D4994
GetWindowTextW.USER32(?,?,00000400), ref: 008D49DA
_wcslen.LIBCMT ref: 008D49EB
CharUpperBuffW.USER32(?,00000000), ref: 008D49F7
_wcsstr.LIBVCRUNTIME ref: 008D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008D4B20
GetWindowRect.USER32(?,?), ref: 008D4B8B

Strings

ThumbnailClass, xrefs: 008D4A6F, 008D4AF1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 48d623b37487d1cb4f7104214ced541c745e657e749e28116dd3de9fa16c5b1a
Instruction ID: d9c80e66d64a928a39b194ce3563141f7593f961e22c4b35ff7b96d2f4edaa7a
Opcode Fuzzy Hash: 48d623b37487d1cb4f7104214ced541c745e657e749e28116dd3de9fa16c5b1a
Instruction Fuzzy Hash: 6591DC710082069FDB04DF54C885FAA77A8FF94314F04966BFD85DA296DB30ED45CBA2

Function 00908D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00908D5A
GetFocus.USER32 ref: 00908D6A
GetDlgCtrlID.USER32(00000000), ref: 00908D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00908E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00908ECF
GetMenuItemCount.USER32(?), ref: 00908EEC
GetMenuItemID.USER32(?,00000000), ref: 00908EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00908F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00908F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00908FA1

Strings

0, xrefs: 00908E9F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 932ecdf0630749c2f2b72844ff11156837a330a318db0c815494d8338a86f248
Instruction ID: c18fbcf1cfd81d3d6cbdc23ff4ba72ca8601f7e2baa7f4a2b1901d7dc3fba43e
Opcode Fuzzy Hash: 932ecdf0630749c2f2b72844ff11156837a330a318db0c815494d8338a86f248
Instruction Fuzzy Hash: DD819F71608301AFDB20DF24D884A6B7BE9FF88754F140A19FA85D72D1DB70D940DBA2

Function 008DDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 008DDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008DDC46
_wcslen.LIBCMT ref: 008DDC50
_wcsstr.LIBVCRUNTIME ref: 008DDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008DDCBC

Strings

04090000, xrefs: 008DDCF2
DefaultLangCodepage, xrefs: 008DDD1F
%u.%u.%u.%u, xrefs: 008DDD9A
StringFileInfo\, xrefs: 008DDC8F
\VarFileInfo\Translation, xrefs: 008DDCB4

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d1aac301df495578528aeb322c920cbaa41e4258991aa93a7c4ab0864af4ef55
Instruction ID: df9014c0289ebd93500176bd14f9d901e44166613e9716b8d90e131b742c15e5
Opcode Fuzzy Hash: d1aac301df495578528aeb322c920cbaa41e4258991aa93a7c4ab0864af4ef55
Instruction Fuzzy Hash: B04104729403047BEF10B7689C03EBF77ACFF45750F14416AF904E6282EA74990197A6

Function 008FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 008FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008FCD48

Part of subcall function 008FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 008FCCAA
Part of subcall function 008FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 008FCCBD
Part of subcall function 008FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008FCCCF
Part of subcall function 008FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008FCD05
Part of subcall function 008FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 008FCCF3

Strings

RegDeleteKeyExW, xrefs: 008FCCC9
advapi32.dll, xrefs: 008FCCB8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d7cad6d908753d111a869d4028451a0b8f2f57586ad33610c350693d1ed65140
Instruction ID: 55455638a3c663dce57adc92e91fbf1bc54dd0417f38cebb974fa7a5bd79861b
Opcode Fuzzy Hash: d7cad6d908753d111a869d4028451a0b8f2f57586ad33610c350693d1ed65140
Instruction Fuzzy Hash: E03161B190512DBFDB209B64DD88EFFBB7CEF46754F000165BA05E2140D7349B45EAA0

Function 008E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008E3D40
_wcslen.LIBCMT ref: 008E3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 008E3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008E3DBE
RemoveDirectoryW.KERNEL32(?), ref: 008E3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008E3E55
CloseHandle.KERNEL32(00000000), ref: 008E3E60
CloseHandle.KERNEL32(00000000), ref: 008E3E6B

Strings

\??\%s, xrefs: 008E3D5B
:, xrefs: 008E3D82
\, xrefs: 008E3D77

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 2e316f3aa28f224f2d45cb56b25d55cbdb1cee826183f2e6135d11e3104c5729
Instruction ID: f679865a113ccc163bacd07ebefeeaf35af452523cf56af9d2643be3d9b15449
Opcode Fuzzy Hash: 2e316f3aa28f224f2d45cb56b25d55cbdb1cee826183f2e6135d11e3104c5729
Instruction Fuzzy Hash: 3A31CFB2A14249ABDB219BA5DC48FEB37BCFF89700F5041A5F609D6160EB709B448B24

Function 008DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008DE6B4

Part of subcall function 0088E551: timeGetTime.WINMM(?,?,008DE6D4), ref: 0088E555

Sleep.KERNEL32(0000000A), ref: 008DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008DE727
SetActiveWindow.USER32 ref: 008DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008DE773
Sleep.KERNEL32(000000FA), ref: 008DE77E
IsWindow.USER32 ref: 008DE78A
EndDialog.USER32(00000000), ref: 008DE79B

Strings

BUTTON, xrefs: 008DE719

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8f6c177f0185335a369b4b4f4a0c3dda405a6d2a70404176acfaa50c141d05c6
Instruction ID: e92a92f71e538ea0ed6c3407ad30b6d8dfad842e3714643b7ce85f4564b0afb2
Opcode Fuzzy Hash: 8f6c177f0185335a369b4b4f4a0c3dda405a6d2a70404176acfaa50c141d05c6
Instruction Fuzzy Hash: D32193B822C205AFEB106F65EC89E3A3B69F756349F500627F415C52A1DB72AC40EB25

Function 008DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008DEAA7

Strings

play PlayMe, xrefs: 008DEAA2
open , xrefs: 008DEA0C
close PlayMe, xrefs: 008DEA6E, 008DEA9B
play PlayMe wait, xrefs: 008DEA91
status PlayMe mode, xrefs: 008DEA58
alias PlayMe, xrefs: 008DEA36

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e28b6facb426d7bf40cc45009fabef1bb0440f9e345e830a60bb61a9bb186e25
Instruction ID: 5cb1dc2f2d530ac6dad9a530f92de6255e228d0a106f2fe0141ec94b7b4da4dc
Opcode Fuzzy Hash: e28b6facb426d7bf40cc45009fabef1bb0440f9e345e830a60bb61a9bb186e25
Instruction Fuzzy Hash: 24119131A9022979D720B7A6DC4AEFF6B7CFBD1B48F00452AB415E60D4EA704905C9B1

Function 008D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008D5CE2
GetWindowRect.USER32(00000000,?), ref: 008D5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008D5D59
GetDlgItem.USER32(?,00000002), ref: 008D5D69
GetWindowRect.USER32(00000000,?), ref: 008D5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008D5DCF
GetDlgItem.USER32(?,000003E9), ref: 008D5DDD
GetWindowRect.USER32(00000000,?), ref: 008D5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008D5E31
GetDlgItem.USER32(?,000003EA), ref: 008D5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008D5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008D5E67

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 03bc35d9a15aa9992ca83a3a10c048a81d4ba15a00fb3a2e1190b6d97244a846
Instruction ID: 30e4282c605775a7521cff5aa28a02d83457851d091dea047657603cf60d1aba
Opcode Fuzzy Hash: 03bc35d9a15aa9992ca83a3a10c048a81d4ba15a00fb3a2e1190b6d97244a846
Instruction Fuzzy Hash: 7A5101B1B10609AFDF18DF68DD89AAE7BB5FB48301F14822AF515E7290D7709E04CB60

Function 00888BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00888F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00888BE8,?,00000000,?,?,?,?,00888BBA,00000000,?), ref: 00888FC5

DestroyWindow.USER32(?), ref: 00888C81
KillTimer.USER32(00000000,?,?,?,?,00888BBA,00000000,?), ref: 00888D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00888BBA,00000000,?), ref: 008C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00888BBA,00000000,?), ref: 008C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00888BBA,00000000), ref: 008C69D4
DeleteObject.GDI32(00000000), ref: 008C69E6

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 95f2fc0d78d7660beab3e047e7f559878808736ab481fd147585761ee09962d3
Instruction ID: 548041c3bbf3cd2d12e02e4dd98324ae374f3eea92f9799f826e67151484a927
Opcode Fuzzy Hash: 95f2fc0d78d7660beab3e047e7f559878808736ab481fd147585761ee09962d3
Instruction Fuzzy Hash: A161BB34016614DFDB25AF18DA48B297BF2FB41316F50452CE042DB5A4CB31ADD0EF91

Function 00889838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00889944: GetWindowLongW.USER32(?,000000EB), ref: 00889952

GetSysColor.USER32(0000000F), ref: 00889862

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 20b475c756be11754625c8e84fb60436058bbdc0fdd3f5f9784c4b805b9c0e42
Instruction ID: 5e73ad84f81beb0110779a5be6bcfb976610f3b7248a2b695e72e9a023f07be0
Opcode Fuzzy Hash: 20b475c756be11754625c8e84fb60436058bbdc0fdd3f5f9784c4b805b9c0e42
Instruction Fuzzy Hash: E2418071108645AFDB206F389C88BB93BA5FB06335F184669F9E2C71E1D7319C42EB11

Function 008D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008D9717
LoadStringW.USER32(00000000,?,008BF7F8,00000001), ref: 008D9720

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008D9742
LoadStringW.USER32(00000000,?,008BF7F8,00000001), ref: 008D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008D9866

Strings

Line %d:, xrefs: 008D97A0
%s (%d) : ==> %s: %s %s, xrefs: 008D984A
^ ERROR, xrefs: 008D97FB
Error: , xrefs: 008D981D
Line %d (File "%s"):, xrefs: 008D978F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: dda5006f7fdc4214530c7d81fd7f16fb85de6ae6ff1ed4fe6be72a9a0138157c
Instruction ID: c66b30a84d9c82a0a05369ac1a380007771ababe3b7db2b34d0314bc72e09eec
Opcode Fuzzy Hash: dda5006f7fdc4214530c7d81fd7f16fb85de6ae6ff1ed4fe6be72a9a0138157c
Instruction Fuzzy Hash: B6416E72800209AACF14EBE4DD86DEE7778FF55340F504125F209B2196EA35AF48DB62

Function 008D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D083C

Strings

\IPC$, xrefs: 008D0784
\CLSID, xrefs: 008D0724
SOFTWARE\Classes\, xrefs: 008D070E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d0f9a6105066a3369e833babc1e9638470db5649c6a5425b2e3be8f3b8758425
Instruction ID: 0fcbbdd00910bce316102dfc6e9ccf7fccff20718687c3dc4c1d7c1e29b795e6
Opcode Fuzzy Hash: d0f9a6105066a3369e833babc1e9638470db5649c6a5425b2e3be8f3b8758425
Instruction Fuzzy Hash: 44410772C10229AADF15EBA4DC859EDB778FF48350F458129E905A72A1EB309E04DF91

Function 008F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F3C5C
CoInitialize.OLE32(00000000), ref: 008F3C8A
CoUninitialize.OLE32 ref: 008F3C94
_wcslen.LIBCMT ref: 008F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 008F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 008F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 008F3F0E
CoGetObject.OLE32(?,00000000,0090FB98,?), ref: 008F3F2D
SetErrorMode.KERNEL32(00000000), ref: 008F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008F3FC4
VariantClear.OLEAUT32(?), ref: 008F3FD8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cd0669717cfdff206a0b38a33776ed3ae64bc53c12ab4a3e250d7fa47c4b5332
Instruction ID: bd019c365b10fad14f5771c907b43f36bef19acd006d262b42fe3ffbee3bef96
Opcode Fuzzy Hash: cd0669717cfdff206a0b38a33776ed3ae64bc53c12ab4a3e250d7fa47c4b5332
Instruction Fuzzy Hash: F0C10471608209AFD700DF68C88492BB7E9FF89748F14491DFA8ADB251DB31EE45CB52

Function 008E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 008E7BA3
CoCreateInstance.OLE32(0090FD08,00000000,00000001,00936E6C,?), ref: 008E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008E7C74
CoTaskMemFree.OLE32(?,?), ref: 008E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 008E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008E7D7A
CoTaskMemFree.OLE32(00000000), ref: 008E7D81
CoTaskMemFree.OLE32(00000000), ref: 008E7DD6
CoUninitialize.OLE32 ref: 008E7DDC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 23d0f1eb9b8d5c4658fab96f7af63e9729e1236ce57b34f866e4fe2d6a25b0d9
Instruction ID: 7cfea90eb601c990c58ce9d7a508bfea3f2f6621d07242d0f873ee4a0bff4539
Opcode Fuzzy Hash: 23d0f1eb9b8d5c4658fab96f7af63e9729e1236ce57b34f866e4fe2d6a25b0d9
Instruction Fuzzy Hash: B5C12A75A04149AFCB14DFA9C884DAEBBF9FF49314B148598E819DB361D730EE41CB90

Function 0090541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00905504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00905515
CharNextW.USER32(00000158), ref: 00905544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00905585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0090559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009055AC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a73aef8cbdfe1306b204880e260c10f2712581f75ca5e0ec832d7e97e090fe0a
Instruction ID: 520440cfff43d9f7208a0370509d6931e7da326aa8d038e09ad024cbf573016f
Opcode Fuzzy Hash: a73aef8cbdfe1306b204880e260c10f2712581f75ca5e0ec832d7e97e090fe0a
Instruction Fuzzy Hash: DC617775904609AFDF208F94CC84EFF7BB9EB0A320F118545F925AA2E0D7749A81DF60

Function 008CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008CFB08
VariantInit.OLEAUT32(?), ref: 008CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008CFB3A
VariantCopy.OLEAUT32(?,?), ref: 008CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008CFBA1
VariantClear.OLEAUT32(?), ref: 008CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008CFBCC
VariantClear.OLEAUT32(?), ref: 008CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008CFBE9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 186cd0225d23373cf30bce6bfa206118b069fbc8ba2c00bc68b63c87abb9894b
Instruction ID: 3130a4e80b77c7ec84feae244a7a24730355ecd404f994dff52c32d5413e0a7c
Opcode Fuzzy Hash: 186cd0225d23373cf30bce6bfa206118b069fbc8ba2c00bc68b63c87abb9894b
Instruction Fuzzy Hash: 18413F75A04219AFDB00DF68C854EADBBBAFF48354F008169E945E7262CB30ED45DF91

Function 008D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008D9D22
GetKeyState.USER32(000000A0), ref: 008D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008D9D57
GetKeyState.USER32(000000A1), ref: 008D9D6C
GetAsyncKeyState.USER32(00000011), ref: 008D9D84
GetKeyState.USER32(00000011), ref: 008D9D96
GetAsyncKeyState.USER32(00000012), ref: 008D9DAE
GetKeyState.USER32(00000012), ref: 008D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008D9DD8
GetKeyState.USER32(0000005B), ref: 008D9DEA

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: afb468424e2b183a68667429c151583e9102943491c0e1abdc4706b75bb240ab
Instruction ID: c695c9152d8408cf7c6910aadab5874fa7a8ce0c1b2db673a0642af7f609ad43
Opcode Fuzzy Hash: afb468424e2b183a68667429c151583e9102943491c0e1abdc4706b75bb240ab
Instruction Fuzzy Hash: F341D5745087CA6DFF30976488043B5BFA1FB11344F04825BDAC6D67C2EBA599C8C7A2

Function 008F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008F05BC
inet_addr.WSOCK32(?), ref: 008F061C
gethostbyname.WSOCK32(?), ref: 008F0628
IcmpCreateFile.IPHLPAPI ref: 008F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008F07B9
WSACleanup.WSOCK32 ref: 008F07BF

Strings

Ping, xrefs: 008F0676

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e76cf063f3cba0627c1f5024b86fdfd28c433b5f49cf2bff3334c2286c139ca6
Instruction ID: a539017b0e17980061c1ec8a32e6ad7e4d91d521d834ee923d85f900a8d95fd3
Opcode Fuzzy Hash: e76cf063f3cba0627c1f5024b86fdfd28c433b5f49cf2bff3334c2286c139ca6
Instruction Fuzzy Hash: 24916D755082059FD720DF29C488B2ABBE0FF44318F1485A9E569DB6A2C771ED41CF92

Function 008F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 008F8CF3

Part of subcall function 008D8E54: _wcslen.LIBCMT ref: 008D8E77

_wcslen.LIBCMT ref: 008F8D4E
_wcslen.LIBCMT ref: 008F8D9C
_wcslen.LIBCMT ref: 008F8DDC
_wcslen.LIBCMT ref: 008F8E6E

Strings

cdecl, xrefs: 008F8D48, 008F8D4D
none, xrefs: 008F8E65, 008F8E6A
winapi, xrefs: 008F8D96, 008F8D9B
stdcall, xrefs: 008F8DD6, 008F8DDB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1ae471b2c8ca0760123e0d3b03bd666355cb8a167aaac5f839cc49bd7c6102dd
Instruction ID: 877badc82c51e876bc4d015c3751a4b52e1ed8786e9d874d614a0f729c1fbbae
Opcode Fuzzy Hash: 1ae471b2c8ca0760123e0d3b03bd666355cb8a167aaac5f839cc49bd7c6102dd
Instruction Fuzzy Hash: 4251AF32A0051ADBCF24EF7CC9418BEB7A5FF64324B244229E666E7284DB30DD40CB91

Function 008F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 008F3774
CoUninitialize.OLE32 ref: 008F377F
CoCreateInstance.OLE32(?,00000000,00000017,0090FB78,?), ref: 008F37D9
IIDFromString.OLE32(?,?), ref: 008F384C
VariantInit.OLEAUT32(?), ref: 008F38E4
VariantClear.OLEAUT32(?), ref: 008F3936

Strings

NULL Pointer assignment, xrefs: 008F381E
Invalid parameter, xrefs: 008F3865
Failed to create object, xrefs: 008F37E4, 008F389A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 8f78ae0c9ba462a1605ad424f998095316d91f1bfe6997940622ac169ee440a2
Instruction ID: 4524fa135fd48bd735ae401336f930caaf717d6b9e2978fcc2ebb3bd9b302c5c
Opcode Fuzzy Hash: 8f78ae0c9ba462a1605ad424f998095316d91f1bfe6997940622ac169ee440a2
Instruction Fuzzy Hash: 9F6190B0608305AFD310EF64C889B6ABBE4FF49754F104919FA85DB291D774EE48CB92

Function 008E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 008E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8395

Strings

*.*, xrefs: 008E839B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 21accf1a6909509c045d349246d1d39f9602c15fc2cfbae5efe4568c902777b9
Instruction ID: f71721f09f84f43b62314f139fc0e248a9eb858c62cae670c81f752ce4dd5b9b
Opcode Fuzzy Hash: 21accf1a6909509c045d349246d1d39f9602c15fc2cfbae5efe4568c902777b9
Instruction Fuzzy Hash: 816169B25083459FCB10EF69C8419AEB3E8FF8A314F04891EF999D7251DB31E945CB92

Function 008E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008E33CF

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008E33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 008E3504
Error: , xrefs: 008E34D1
"%s" (%d) : ==> %s:, xrefs: 008E3522
Incorrect parameters to object property !, xrefs: 008E34AB
^ ERROR , xrefs: 008E349E
Line %d (File "%s"):, xrefs: 008E3443, 008E345C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 459dcbd1d04e6cc78832a2da8909297881e6d668e60edbfc9e698809841732fb
Instruction ID: fa3eaf67dffcda17558dcaa70d69c90e63ef12788251323b9857540a14697eb4
Opcode Fuzzy Hash: 459dcbd1d04e6cc78832a2da8909297881e6d668e60edbfc9e698809841732fb
Instruction Fuzzy Hash: 66519D72800209AADF15EBA4CD46EEEB778FF15344F108165F509B21A2EB316F58DF62

Function 008DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008DB5FC
_wcslen.LIBCMT ref: 008DB608
_wcslen.LIBCMT ref: 008DB64D
_wcslen.LIBCMT ref: 008DB68C
_wcslen.LIBCMT ref: 008DB6C7

Strings

KEYS, xrefs: 008DB647, 008DB64C
APPEND, xrefs: 008DB6C1, 008DB6C6
REMOVE, xrefs: 008DB602, 008DB607
EXISTS, xrefs: 008DB686, 008DB68B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6933b2448a5e312953cfbc5ec57cca42f352c478acad791e27699cdbbcb8bb77
Instruction ID: 35e7ec3f0459c7269a71991f8e8148820f0e76705a0c591dc5f71a0d7160290a
Opcode Fuzzy Hash: 6933b2448a5e312953cfbc5ec57cca42f352c478acad791e27699cdbbcb8bb77
Instruction Fuzzy Hash: BA41B632A00126DBCB206F7D98905BE7BA5FB75768B26432AE425D7384E731CD81C790

Function 008E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008E5416
GetLastError.KERNEL32 ref: 008E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 008E54A7

Strings

NOTREADY, xrefs: 008E544B
READY, xrefs: 008E5460, 008E5468
READONLY, xrefs: 008E5452
UNKNOWN, xrefs: 008E5444
INVALID, xrefs: 008E5459

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7a21a72e8deda4fa0f2ab8a37bf212423e37cd596de7dfc5f423709d18748a22
Instruction ID: 80a7c197fe1655cdfbbb1b894d96e6cda38f2495893848e6e4cff540ec4e410b
Opcode Fuzzy Hash: 7a21a72e8deda4fa0f2ab8a37bf212423e37cd596de7dfc5f423709d18748a22
Instruction Fuzzy Hash: 6A31D0B5A002489FC710DF69C884AAABBF4FF4630DF148065E405CB2D2D770DD86CB91

Function 00903C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00903C79
SetMenu.USER32(?,00000000), ref: 00903C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00903D10
IsMenu.USER32(?), ref: 00903D24
CreatePopupMenu.USER32 ref: 00903D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00903D5B
DrawMenuBar.USER32 ref: 00903D63

Strings

0, xrefs: 00903C54
F, xrefs: 00903D4E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e510db58bb8cde4498a3972c72809ee71df5a4a8667550ae14fa443894d07ca7
Instruction ID: b29622f4375bdb8e645f997812982482bd2d03be564afa38e0f1c6615707db24
Opcode Fuzzy Hash: e510db58bb8cde4498a3972c72809ee71df5a4a8667550ae14fa443894d07ca7
Instruction Fuzzy Hash: 0F417CB9A15209EFDB14CF64E844EAA7BB9FF49350F144129F946973A0D730AA10EF90

Function 00903A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00903A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00903AA0
GetWindowLongW.USER32(?,000000F0), ref: 00903AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00903AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00903B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00903BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00903BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00903BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00903BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00903C13

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8fd71ee559eb3e9cdf850f209ec12b00eaeea338ffdbd09cd2f2223fe34c4413
Instruction ID: 02883d6345dd2fa6c5c287bbf85957caaae1f0172c00d416346fe925ad6a62ea
Opcode Fuzzy Hash: 8fd71ee559eb3e9cdf850f209ec12b00eaeea338ffdbd09cd2f2223fe34c4413
Instruction Fuzzy Hash: 08617875A00218AFDB10DFA8CC81EEE77BCEB49714F104199FA15E72E1D774AA81DB50

Function 008DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008DB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008DA1E1,?,00000001), ref: 008DB165
GetWindowThreadProcessId.USER32(00000000), ref: 008DB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008DA1E1,?,00000001), ref: 008DB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 008DB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008DA1E1,?,00000001), ref: 008DB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008DA1E1,?,00000001), ref: 008DB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008DA1E1,?,00000001), ref: 008DB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008DA1E1,?,00000001), ref: 008DB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008DA1E1,?,00000001), ref: 008DB21D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0b57787e6cc64891b2343d1fecb4f54fc2713a183e86fcbde7d60059b9033d10
Instruction ID: fe1ca3becca443f9412d0ce6411e6d753417ae6d99041e61a647fed98e3e871a
Opcode Fuzzy Hash: 0b57787e6cc64891b2343d1fecb4f54fc2713a183e86fcbde7d60059b9033d10
Instruction Fuzzy Hash: 75318EB6528204FFDB209F64EC88F6D7BB9FB52359F118306FA01D6290D7B49A409F64

Function 008A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008A2C94

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008A2CA0
_free.LIBCMT ref: 008A2CAB
_free.LIBCMT ref: 008A2CB6
_free.LIBCMT ref: 008A2CC1
_free.LIBCMT ref: 008A2CCC
_free.LIBCMT ref: 008A2CD7
_free.LIBCMT ref: 008A2CE2
_free.LIBCMT ref: 008A2CED
_free.LIBCMT ref: 008A2CFB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2ac166815e1b5bea8c86a7748ef7fe99451a43c801e0b2abbb00d26b32c1ad3
Instruction ID: 4d51c59b50e127baee464e20b05670ec093c59c8904e6c088f2176b277a5d62b
Opcode Fuzzy Hash: f2ac166815e1b5bea8c86a7748ef7fe99451a43c801e0b2abbb00d26b32c1ad3
Instruction Fuzzy Hash: 6611C676100108AFDB52EF5CD842DDE3FA5FF06750F4544A0FA489BA22D631EA509B92

Function 008E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008E7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 008E7FC1
GetFileAttributesW.KERNEL32(?), ref: 008E7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 008E8005
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8017
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008E80B0

Strings

*.*, xrefs: 008E8066

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f46a27be73811c0725dfcb90bf9cb4f97f0f1aef6169359dda01b247c7e10486
Instruction ID: ee17e0257417e8027f322fd99b79c49aa65ed43018b7a4d88ae7c37f73360ac1
Opcode Fuzzy Hash: f46a27be73811c0725dfcb90bf9cb4f97f0f1aef6169359dda01b247c7e10486
Instruction Fuzzy Hash: 5A81B2715082869BCB24EF1AC8449AEB3E8FF86714F144C6EF889D7250EB34DD45CB52

Function 00875BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00875C7A

Part of subcall function 00875D0A: GetClientRect.USER32(?,?), ref: 00875D30
Part of subcall function 00875D0A: GetWindowRect.USER32(?,?), ref: 00875D71
Part of subcall function 00875D0A: ScreenToClient.USER32(?,?), ref: 00875D99

GetDC.USER32 ref: 008B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008B4708
SelectObject.GDI32(00000000,00000000), ref: 008B4716
SelectObject.GDI32(00000000,00000000), ref: 008B472B
ReleaseDC.USER32(?,00000000), ref: 008B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008B47C4

Strings

U, xrefs: 008B4693

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1e57796255797a8db7b0129c63870a964ab218657cba0f9fcbd9b6368a27d5a7
Instruction ID: e9fd88642468e2dda5fe03e1b4e11dab4806293620ef5c3356a603764f0dec51
Opcode Fuzzy Hash: 1e57796255797a8db7b0129c63870a964ab218657cba0f9fcbd9b6368a27d5a7
Instruction Fuzzy Hash: 4071F134404209DFDF218F64C986AFA3BB5FF8A314F245269E955DA2ABCB31D881DF50

Function 008E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008E35E4

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

LoadStringW.USER32(00942390,?,00000FFF,?), ref: 008E360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 008E3724
^ ERROR, xrefs: 008E36C9
Error: , xrefs: 008E36EF
"%s" (%d) : ==> %s:, xrefs: 008E3742
Line %d (File "%s"):, xrefs: 008E366B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 23b5dcb1c389a8664c75ce9a863ee58606e7561b7b1397072ad86470988abc2e
Instruction ID: 67c35a9da3d87b799bb2dd9c895a0b0b5f9085b7690ee2bc938845404083fb64
Opcode Fuzzy Hash: 23b5dcb1c389a8664c75ce9a863ee58606e7561b7b1397072ad86470988abc2e
Instruction Fuzzy Hash: 84518F71800249BACF15EBA4DC46EEEBB78FF15304F048125F109B21A5EB309B98DF62

Function 00908B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

Part of subcall function 0088912D: GetCursorPos.USER32(?), ref: 00889141
Part of subcall function 0088912D: ScreenToClient.USER32(00000000,?), ref: 0088915E
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000001), ref: 00889183
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000002), ref: 0088919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00908B6B
ImageList_EndDrag.COMCTL32 ref: 00908B71
ReleaseCapture.USER32 ref: 00908B77
SetWindowTextW.USER32(?,00000000), ref: 00908C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00908C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00908CFF

Strings

@GUI_DROPID, xrefs: 00908C51
@GUI_DRAGFILE, xrefs: 00908C9A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 09a4cf26efb28b77451415d3904efce70fc968135d8e3b5f7b8a45016bd69f4b
Instruction ID: c53b529f0d0694e8b66c538917624b9bf9464c700ff27ceb21711f73c764cc7c
Opcode Fuzzy Hash: 09a4cf26efb28b77451415d3904efce70fc968135d8e3b5f7b8a45016bd69f4b
Instruction Fuzzy Hash: D8519D74208310AFE714EF24DC56FAA77E4FB88714F000A2DF996A72E1CB719944DB62

Function 008EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008EC2CA
GetLastError.KERNEL32 ref: 008EC322
SetEvent.KERNEL32(?), ref: 008EC336
InternetCloseHandle.WININET(00000000), ref: 008EC341

Strings

, xrefs: 008EC2BB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ba394aed78d07368a008f573c6ca53a32c6e55e2f83ed592e43389657e17f6de
Instruction ID: 9a4ef7f8cdb5c5d6672e8674bb09b755507e59182e7a6b51eb37c92e892d20d2
Opcode Fuzzy Hash: ba394aed78d07368a008f573c6ca53a32c6e55e2f83ed592e43389657e17f6de
Instruction Fuzzy Hash: DE317FB1904648AFD7219FAA8C88AAB7BFCFB4A744F14851DF446D2200DB30DD069B61

Function 008D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008B3AAF,?,?,Bad directive syntax error,0090CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008D98BC
LoadStringW.USER32(00000000,?,008B3AAF,?), ref: 008D98C3

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008D9987

Strings

Line %d:, xrefs: 008D9912
Error: , xrefs: 008D9955
., xrefs: 008D996D
Line %d (File "%s"):, xrefs: 008D992D
%s (%d) : ==> %s.: %s %s, xrefs: 008D98F1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 21be63b5072ac8f36e5a560373e2458638af87d768c3fe890ecf6ec9b8ab5875
Instruction ID: 0ddd6d2608400c37ff3e53d3ecb0f7891190bdc66e0aab976ff96af5edb24a79
Opcode Fuzzy Hash: 21be63b5072ac8f36e5a560373e2458638af87d768c3fe890ecf6ec9b8ab5875
Instruction Fuzzy Hash: C0216031C0421ABBCF15AF94CC1AEEE7779FF18304F048466F519A61A2EB719618DB52

Function 008D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008D214D

Strings

largeicons, xrefs: 008D20E1
details, xrefs: 008D20FB
SHELLDLL_DefView, xrefs: 008D20CC
list, xrefs: 008D212F
smallicons, xrefs: 008D2115

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 63b30e64875a45dfb611aa9725cfc42776ebb63ba1efe8231c4be25c0dccf4de
Instruction ID: 0725aa7c8710cbb21ff42f0dd8ec3167b583ca265004a1cbb0e855ce4cff4623
Opcode Fuzzy Hash: 63b30e64875a45dfb611aa9725cfc42776ebb63ba1efe8231c4be25c0dccf4de
Instruction Fuzzy Hash: 8A110676688717B9FE117224DC07DA677ACEF28728F214317FB04E51E1FE61B8025A14

Function 008A8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe6fe087edfcb4177dde1b17ad0f3c5162f70081ce81c99a384acc3a22678e2
Instruction ID: 096bb3bd5c01b18b88f7e31a737fdc7dcaf09a23fe2cd5f699c54b807dee19da
Opcode Fuzzy Hash: abe6fe087edfcb4177dde1b17ad0f3c5162f70081ce81c99a384acc3a22678e2
Instruction Fuzzy Hash: 7FC1C174908249DFEF11AFACC841BADBFB4FF0A310F184199E954E7692CB749941CB61

Function 008ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008ACEB7
_free.LIBCMT ref: 008ACF22
_free.LIBCMT ref: 008ACF48
_free.LIBCMT ref: 008ACF71
_free.LIBCMT ref: 008ACFA9
_free.LIBCMT ref: 008ACFDA
_free.LIBCMT ref: 008AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008AD09C
_free.LIBCMT ref: 008AD0B5

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c59470f488f92543bd1b25530f0ee917b8c1d8d4b6500df3681f203c5a70783d
Instruction ID: 8bb152a05d000a4d265680dc445d91a82be560ce9b95c3c5f32b405486be5d09
Opcode Fuzzy Hash: c59470f488f92543bd1b25530f0ee917b8c1d8d4b6500df3681f203c5a70783d
Instruction Fuzzy Hash: C2614772908304AFFF21AFBC9881B6A7BA5FF03320F04416DFA55D7A82DA719D018752

Function 00888B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00888874,00000000,00000000,00000000,000000FF,00000000), ref: 008C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00888874,00000000,00000000,00000000,000000FF,00000000), ref: 008C692D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 152fdd5a448fb3d16ca92197caf14e6d6faff671cb9cd6e15a16e07ca3dfc264
Instruction ID: 4ee983f57c1ad6e0baac3c34f7aa129f384067dc3f4f95d109905d3b8a6a9a3d
Opcode Fuzzy Hash: 152fdd5a448fb3d16ca92197caf14e6d6faff671cb9cd6e15a16e07ca3dfc264
Instruction Fuzzy Hash: 32516C74610209EFDB24DF24CC95FAA7BB5FB88760F104628F956D72A0EB70E990DB50

Function 008EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008EC182
GetLastError.KERNEL32 ref: 008EC195
SetEvent.KERNEL32(?), ref: 008EC1A9

Part of subcall function 008EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008EC272
Part of subcall function 008EC253: GetLastError.KERNEL32 ref: 008EC322
Part of subcall function 008EC253: SetEvent.KERNEL32(?), ref: 008EC336
Part of subcall function 008EC253: InternetCloseHandle.WININET(00000000), ref: 008EC341

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0bbcf8fcae103d9683ff6360b8ab2e29df19efdff36ccd05c11ba26770a09e1d
Instruction ID: 0a8d05f3d1bede77adf862a87ef9efb8e54ce3dd851ce550ffd6a59fd4223357
Opcode Fuzzy Hash: 0bbcf8fcae103d9683ff6360b8ab2e29df19efdff36ccd05c11ba26770a09e1d
Instruction Fuzzy Hash: 6D3190B1A04785AFDB219FAADC44A67BBF9FF1A300B00451DFA56C2610D730E816EB60

Function 008D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D3A57
Part of subcall function 008D3A3D: GetCurrentThreadId.KERNEL32 ref: 008D3A5E
Part of subcall function 008D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008D25B3), ref: 008D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008D2627

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 801776dc4e8ffee3cf21ac46cbf0806e9a0d3a518f7b02490f7886c32d83eabf
Instruction ID: 8b85dc0e28a778fafc6686a5ef71fd959d386a3f6fe46276999b4a57049a37bb
Opcode Fuzzy Hash: 801776dc4e8ffee3cf21ac46cbf0806e9a0d3a518f7b02490f7886c32d83eabf
Instruction Fuzzy Hash: CE01D870398624BBFB2067689C8AF593F69EB5EB11F100202F314EF1D1C9E254449AAA

Function 008D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008D1449,?,?,00000000), ref: 008D180C
HeapAlloc.KERNEL32(00000000,?,008D1449,?,?,00000000), ref: 008D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D1449,?,?,00000000), ref: 008D1828
GetCurrentProcess.KERNEL32(?,00000000,?,008D1449,?,?,00000000), ref: 008D1830
DuplicateHandle.KERNEL32(00000000,?,008D1449,?,?,00000000), ref: 008D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D1449,?,?,00000000), ref: 008D1843
GetCurrentProcess.KERNEL32(008D1449,00000000,?,008D1449,?,?,00000000), ref: 008D184B
DuplicateHandle.KERNEL32(00000000,?,008D1449,?,?,00000000), ref: 008D184E
CreateThread.KERNEL32(00000000,00000000,008D1874,00000000,00000000,00000000), ref: 008D1868

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 165c94967f899776036b324b1a596fdc88f5ea8f5b5ac631af763cb61b441fdc
Instruction ID: 952caf4af0820f1132cf14d0d51774b5e6e66f68e1e21eb8b14bc4a8f033d6de
Opcode Fuzzy Hash: 165c94967f899776036b324b1a596fdc88f5ea8f5b5ac631af763cb61b441fdc
Instruction Fuzzy Hash: AA01BFB5254304BFE750AB65DC4DF573B6CEB89B11F004511FA05DB291C6749800DB20

Function 008FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008DD501
Part of subcall function 008DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008DD50F
Part of subcall function 008DD4DC: CloseHandle.KERNEL32(00000000), ref: 008DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FA16D
GetLastError.KERNEL32 ref: 008FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 008FA268
GetLastError.KERNEL32(00000000), ref: 008FA273
CloseHandle.KERNEL32(00000000), ref: 008FA2C4

Strings

SeDebugPrivilege, xrefs: 008FA18F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 416b50befbbb7fc1bc8a1ff2a69e78d63e4205fa9e85c2f610ad2d4cab8526bf
Instruction ID: 049b2211ef689023bd1931c4108fa14130014aeff60830d447042ee27fde8f96
Opcode Fuzzy Hash: 416b50befbbb7fc1bc8a1ff2a69e78d63e4205fa9e85c2f610ad2d4cab8526bf
Instruction Fuzzy Hash: 7A618DB02082429FD714DF28C494F29BBA5FF44328F14848CE56A8B7A3C772ED45CB92

Function 00903886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00903925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0090393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00903954
_wcslen.LIBCMT ref: 00903999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009039F4

Strings

SysListView32, xrefs: 009038F7

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 139b971d0cf43df90aa49c4f2c2982d6d86cb7d6d28c7076858e3aac67898827
Instruction ID: 9de36692737457f801fb8dd6c8aed0f8a776c5b791ca8a2807f2b7cff4c61e86
Opcode Fuzzy Hash: 139b971d0cf43df90aa49c4f2c2982d6d86cb7d6d28c7076858e3aac67898827
Instruction Fuzzy Hash: 25419E71A00219AFEF219F64CC49BEA7BADFF48354F104526F958E72C1D7719A80CB90

Function 008DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008DBCFD
IsMenu.USER32(00000000), ref: 008DBD1D
CreatePopupMenu.USER32 ref: 008DBD53
GetMenuItemCount.USER32(012D5D58), ref: 008DBDA4
InsertMenuItemW.USER32(012D5D58,?,00000001,00000030), ref: 008DBDCC

Strings

0, xrefs: 008DBCA8
2, xrefs: 008DBD37

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 384834d11b00140655b5b957a36d34f0825cb8f70ae26b4de99f2c437c9911a2
Instruction ID: 1a43bfde836344b5f0299066f98d887cc8b1ffc67ccd00bcdd05813c37e54b9d
Opcode Fuzzy Hash: 384834d11b00140655b5b957a36d34f0825cb8f70ae26b4de99f2c437c9911a2
Instruction Fuzzy Hash: 85519C70A04209EBDB20DFA8D884BAEBBF6FF49324F15435AE441D7390DB709940CB62

Function 008DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008DC913

Strings

blank, xrefs: 008DC895
warning, xrefs: 008DC8FC
info, xrefs: 008DC8B4
question, xrefs: 008DC8CC
stop, xrefs: 008DC8E4

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e777d0a6d4cbb265ff975d320cfd282663d95043a418651bf2a5c558e72ac7e1
Instruction ID: 75fb8375dbfc67c11610ed87a68d075e4141fa45ea3c9af4e719dd9fbc9efb3b
Opcode Fuzzy Hash: e777d0a6d4cbb265ff975d320cfd282663d95043a418651bf2a5c558e72ac7e1
Instruction Fuzzy Hash: 03110D3168930BBAEB016B54DC93CAE7BDCFF15368B50423BF501E6382D7705E01A665

Function 008DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008DED2A
_wcslen.LIBCMT ref: 008DED3B
_wcslen.LIBCMT ref: 008DED79
_wcslen.LIBCMT ref: 008DEDAF
_wcslen.LIBCMT ref: 008DEDDF
_wcslen.LIBCMT ref: 008DEDEF
_wcslen.LIBCMT ref: 008DEE2B
_wcslen.LIBCMT ref: 008DEE5A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1d6e4037c5ff705c4d93a699bcf4eac5eb799e3ba3c87d4b1b4b0151cb8c27eb
Instruction ID: cfd5c3ca30091633e787af66f3547b4fec7d5163bf521dde08a7dc93c4a071c0
Opcode Fuzzy Hash: 1d6e4037c5ff705c4d93a699bcf4eac5eb799e3ba3c87d4b1b4b0151cb8c27eb
Instruction Fuzzy Hash: 19416D65C1021866CF11FBF8888A9CFB7A8FF45710F548562F518E3622FB34E255C3AA

Function 0088F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 0088F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 008CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 008CF454

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 919ab7a31900167c01f0485488f82b9040bda9a66e380daca137c7bc0e1819e0
Instruction ID: f1d557988237209827249ca3e1a5cf58ecaba468a4656553617a7173fd5d2e7a
Opcode Fuzzy Hash: 919ab7a31900167c01f0485488f82b9040bda9a66e380daca137c7bc0e1819e0
Instruction Fuzzy Hash: C241D931618680BED739AB3D8C88B2A7FA2FB56314F14453CE387D6663D635E880DB11

Function 00902D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00902D1B
GetDC.USER32(00000000), ref: 00902D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00902D2E
ReleaseDC.USER32(00000000,00000000), ref: 00902D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00902D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00902D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00905A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00902DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00902DE1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4c8178d2e01ebcd9e8f88ded1e01bed1e9354a42d85d5a39381271dab5e1dd3b
Instruction ID: 63f26902be9ca54ca1bb73bce30a20d97fb54ab5fae4d7666620287eaacfd412
Opcode Fuzzy Hash: 4c8178d2e01ebcd9e8f88ded1e01bed1e9354a42d85d5a39381271dab5e1dd3b
Instruction Fuzzy Hash: 6A3167B2215214BFEF218F50CC8AFEB3BADEB09715F044165FE089A2D1C6759C51DBA4

Function 008D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008D5637
_memcmp.LIBVCRUNTIME ref: 008D5659
_memcmp.LIBVCRUNTIME ref: 008D5671
_memcmp.LIBVCRUNTIME ref: 008D5684
_memcmp.LIBVCRUNTIME ref: 008D569E
_memcmp.LIBVCRUNTIME ref: 008D56B1
_memcmp.LIBVCRUNTIME ref: 008D56C9
_memcmp.LIBVCRUNTIME ref: 008D56E4

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 55e20c16f0e73cdb3a53f28803633ed5a71f3cae33f5d979bb6be084cdcc0caf
Instruction ID: 0530305b9095c79378573bf8f9d948c27c377c436c24f25727989338a86849a6
Opcode Fuzzy Hash: 55e20c16f0e73cdb3a53f28803633ed5a71f3cae33f5d979bb6be084cdcc0caf
Instruction Fuzzy Hash: DC212C61648A19BBEA1565149D97FFA336CFF70388F580123FD04DAB81F724EE1085A6

Function 008F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 008F5007
NULL Pointer assignment, xrefs: 008F502E, 008F5383

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8d8ccf8ed4d88f90dd62d912eb412e8c8d65c1e13c2d6b09e5155eb9e3c058cd
Instruction ID: c859bb54715489b121e1e95b322012245eb78b0fdf18bb0d06c2a4627f1f6161
Opcode Fuzzy Hash: 8d8ccf8ed4d88f90dd62d912eb412e8c8d65c1e13c2d6b09e5155eb9e3c058cd
Instruction Fuzzy Hash: 34D17E71A0060EAFDB14CFA8C881BBEB7B5FB48344F148569EA15EB281E770E945CB50

Function 008B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008B15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008B17FB,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B16FB

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B1777
__freea.LIBCMT ref: 008B17A2
__freea.LIBCMT ref: 008B17AE

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: cf070cfde931178b137c7ef4a57bcedd91f387f874b2282674554aad2c92fd9e
Instruction ID: caba2d7bcab7c8eabca71cd34716738e084a2631feb17e274e51bfd98c5ef548
Opcode Fuzzy Hash: cf070cfde931178b137c7ef4a57bcedd91f387f874b2282674554aad2c92fd9e
Instruction Fuzzy Hash: 3A91C671E102169EDF208E64C8A9AEE7BB5FF49314F980659E801EF345DB35DD44C760

Function 008F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F4648
VariantInit.OLEAUT32(?), ref: 008F4749
VariantClear.OLEAUT32(?), ref: 008F4753
VariantClear.OLEAUT32(?), ref: 008F47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 008F472C
Null Object assignment in FOR..IN loop, xrefs: 008F45D8, 008F4706, 008F47BE

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 412f67a6cfb3ad39e78714c5217cf8198794726cdcd8e2b5791cb2cfb0239b90
Instruction ID: c932a7ac536094552394f3174f5a84b946650aa060f48d5fd47b24c825c6e6e1
Opcode Fuzzy Hash: 412f67a6cfb3ad39e78714c5217cf8198794726cdcd8e2b5791cb2cfb0239b90
Instruction Fuzzy Hash: 9E916871A0021DABDB20DFA5C884EAFBBB8FF46714F10855AF605EB280D7709945CFA0

Function 008E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E1430

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 95c7c2b7394dac078ea3a64837217d99bba5ca4dfc14c85e05b864934de160b4
Instruction ID: af5c91d82bca7ecbaad3a7bc852703dbc2bf2510892f7b1c71d7741f7ebf0b6f
Opcode Fuzzy Hash: 95c7c2b7394dac078ea3a64837217d99bba5ca4dfc14c85e05b864934de160b4
Instruction Fuzzy Hash: 5D91E575A002599FDF00DF99C888BBEB7B5FF46319F144029EA00E7292D774E941CB95

Function 0088948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e50cf1a0528d4dedc5c7638a78b6aad8ee6539e51e727ee55e14737e4137fa7b
Instruction ID: 2e8fc3d0f67d52a79ff7c1a63c8c967642d5cfd2fadf7a5c4844204b2ee33098
Opcode Fuzzy Hash: e50cf1a0528d4dedc5c7638a78b6aad8ee6539e51e727ee55e14737e4137fa7b
Instruction Fuzzy Hash: 96912371944219EFCB10DFA9C884AEEBBB8FF48320F188159E555F7251D374AA42DB60

Function 008F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F396B
CharUpperBuffW.USER32(?,?), ref: 008F3A7A
_wcslen.LIBCMT ref: 008F3A8A
VariantClear.OLEAUT32(?), ref: 008F3C1F

Part of subcall function 008E0CDF: VariantInit.OLEAUT32(00000000), ref: 008E0D1F
Part of subcall function 008E0CDF: VariantCopy.OLEAUT32(?,?), ref: 008E0D28
Part of subcall function 008E0CDF: VariantClear.OLEAUT32(?), ref: 008E0D34

Strings

AUTOIT.ERROR, xrefs: 008F3A80, 008F3A85
Incorrect Parameter format, xrefs: 008F39A6, 008F3BA1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 849dbac64d828a91893ac44a3c6e866b683b9ab82321357c06b55ac9dd8f1b54
Instruction ID: e12ca0ec946ab25f979bdca6dc230925966e45f5a4cdeb88792d6f539b64d31f
Opcode Fuzzy Hash: 849dbac64d828a91893ac44a3c6e866b683b9ab82321357c06b55ac9dd8f1b54
Instruction Fuzzy Hash: 0C9134746083099FC704EF28C49192AB7E4FB89314F14892EF989DB351DB31EE45CB92

Function 008F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?,?,008D035E), ref: 008D002B
Part of subcall function 008D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0046
Part of subcall function 008D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0054
Part of subcall function 008D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?), ref: 008D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 008F4C51
_wcslen.LIBCMT ref: 008F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 008F4DCF
CoTaskMemFree.OLE32(?), ref: 008F4DDA

Strings

NULL Pointer assignment, xrefs: 008F4E23, 008F4E52

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a9e7085ac80162df15942bffc22394fd1ad4ec73e288d4094d5d0e9c15967f31
Instruction ID: 50da55e659ec8df03727af33a943415222bc60d80862a9a0293244507b8ef8c3
Opcode Fuzzy Hash: a9e7085ac80162df15942bffc22394fd1ad4ec73e288d4094d5d0e9c15967f31
Instruction Fuzzy Hash: F291F571D0021DAFDF14DFA4C891AEEBBB8FF48314F10816AE919E7251EB349A448F61

Function 009020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00902183
GetMenuItemCount.USER32(00000000), ref: 009021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009021DD
_wcslen.LIBCMT ref: 00902213
GetMenuItemID.USER32(?,?), ref: 0090224D
GetSubMenu.USER32(?,?), ref: 0090225B

Part of subcall function 008D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D3A57
Part of subcall function 008D3A3D: GetCurrentThreadId.KERNEL32 ref: 008D3A5E
Part of subcall function 008D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008D25B3), ref: 008D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009022E3

Part of subcall function 008DE97B: Sleep.KERNEL32 ref: 008DE9F3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 41860660f49e768e50b77ae6eb1a474d77e6a2c9c6bc62f4e86b5512482c0031
Instruction ID: a74fbea71e01487b84814f8804b677170d6348153064a7ad5161f55e3a795448
Opcode Fuzzy Hash: 41860660f49e768e50b77ae6eb1a474d77e6a2c9c6bc62f4e86b5512482c0031
Instruction Fuzzy Hash: 51718175E04205AFCB14EFA8C845AAEB7F5FF48310F148459E926EB391DB34ED418B91

Function 00907E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012D5C18), ref: 00907F37
IsWindowEnabled.USER32(012D5C18), ref: 00907F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0090801E
SendMessageW.USER32(012D5C18,000000B0,?,?), ref: 00908051
IsDlgButtonChecked.USER32(?,?), ref: 00908089
GetWindowLongW.USER32(012D5C18,000000EC), ref: 009080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009080C3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 12bc116f9fe5869e71d221b36265cf4a19e9c5f114bd079654406953ab3c70b9
Instruction ID: 1008403ea595f88905858289b6e11efef3200a6535f0897304ac1572a6f59b5f
Opcode Fuzzy Hash: 12bc116f9fe5869e71d221b36265cf4a19e9c5f114bd079654406953ab3c70b9
Instruction Fuzzy Hash: 42716174A08206AFEF259F94CC94FEABBB9EF49310F144459FA45972E1CB31B845DB20

Function 008DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008DAEF9
GetKeyboardState.USER32(?), ref: 008DAF0E
SetKeyboardState.USER32(?), ref: 008DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008DB020

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9c8226ba77ea142dcaf631f3f46474382384c4cebcb50f2322e80b69c0d0807f
Instruction ID: 0acfbd2f69dea3999e7a3f2bf8eea3072a441ce5ad63820b052a9a73a01c1600
Opcode Fuzzy Hash: 9c8226ba77ea142dcaf631f3f46474382384c4cebcb50f2322e80b69c0d0807f
Instruction Fuzzy Hash: 955103A16047D57DFB3A43348805BBB7FE9AB06304F18868AE1E5C55C2C799ACC8D362

Function 008DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008DAD19
GetKeyboardState.USER32(?), ref: 008DAD2E
SetKeyboardState.USER32(?), ref: 008DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008DAE38

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e513602c173000145f040c0e381b1e30ac048135a98b1b04c4088181a9b93d5d
Instruction ID: 22ecf0609e79a397f7389b870e7175d964285491554059715f521a0e8a1b2766
Opcode Fuzzy Hash: e513602c173000145f040c0e381b1e30ac048135a98b1b04c4088181a9b93d5d
Instruction Fuzzy Hash: 0251E7A15047D53DFB3A4334CC85B7A7F99FB46300F18868AE1D5D6AC2C294EC84E762

Function 008A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008B3CD6,?,?,?,?,?,?,?,?,008A5BA3,?,?,008B3CD6,?,?), ref: 008A5470
__fassign.LIBCMT ref: 008A54EB
__fassign.LIBCMT ref: 008A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008B3CD6,00000005,00000000,00000000), ref: 008A552C
WriteFile.KERNEL32(?,008B3CD6,00000000,008A5BA3,00000000,?,?,?,?,?,?,?,?,?,008A5BA3,?), ref: 008A554B
WriteFile.KERNEL32(?,?,00000001,008A5BA3,00000000,?,?,?,?,?,?,?,?,?,008A5BA3,?), ref: 008A5584

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6236e8eae3e99b411d54566ae277a28855db71d99294eca326a5351783496db1
Instruction ID: 13e3238ac1899dd97adf5697ba60b8bc0a903afbd6fa114d9eb8d38e854d1180
Opcode Fuzzy Hash: 6236e8eae3e99b411d54566ae277a28855db71d99294eca326a5351783496db1
Instruction Fuzzy Hash: 6451A5B1D046499FEB10CFA8D855AEEBBF9FF0A300F14415AFA55E7291D7309A81CB60

Function 00892D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00892D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00892D53
_ValidateLocalCookies.LIBCMT ref: 00892DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00892E0C
_ValidateLocalCookies.LIBCMT ref: 00892E61

Strings

csm, xrefs: 00892DF6

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e97dc51be5290811dba5f67676f2b57fa42adbfe171f553c5ee05048729f1a8a
Instruction ID: bac4ad87b4dfd8ac3f22ac4bed4865d01ded59d1d97241a645e984ef08f93670
Opcode Fuzzy Hash: e97dc51be5290811dba5f67676f2b57fa42adbfe171f553c5ee05048729f1a8a
Instruction Fuzzy Hash: 44419234A0120DABCF14FF68C885A9EBBB5FF45328F188165E814EB392D7319A55CBD1

Function 008F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008F307A
Part of subcall function 008F304E: _wcslen.LIBCMT ref: 008F309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008F1112
WSAGetLastError.WSOCK32 ref: 008F1121
WSAGetLastError.WSOCK32 ref: 008F11C9
closesocket.WSOCK32(00000000), ref: 008F11F9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b8e09004cfe72efeb494150b0e9c39ea010cb2edec84ffa24f8b7934662b78db
Instruction ID: 55d085a5a0beaa6205250b1e58db1a1794c524efbc4977a85138df60d19b8df4
Opcode Fuzzy Hash: b8e09004cfe72efeb494150b0e9c39ea010cb2edec84ffa24f8b7934662b78db
Instruction Fuzzy Hash: 4A41C271600208EFDB109F28C888BB9B7A9FF45328F148159FE19DB291C770ED81CBA1

Function 008DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008DCF22,?), ref: 008DDDFD

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008DCF22,?), ref: 008DDE16

lstrcmpiW.KERNEL32(?,?), ref: 008DCF45
MoveFileW.KERNEL32(?,?), ref: 008DCF7F
_wcslen.LIBCMT ref: 008DD005
_wcslen.LIBCMT ref: 008DD01B
SHFileOperationW.SHELL32(?), ref: 008DD061

Strings

\*.*, xrefs: 008DCFF3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e407f366686ae0bc83578c9e4a16df413304574bb49731b35c5c47aff50e3326
Instruction ID: d0dcbfd901e2731374ee6992e59fddcee123c688a64aac7325f4b78385f5145b
Opcode Fuzzy Hash: e407f366686ae0bc83578c9e4a16df413304574bb49731b35c5c47aff50e3326
Instruction Fuzzy Hash: 034163B19452195FDF12EBA4C981EDEB7B9FF08380F0001E7E549EB241EE74AA48CB51

Function 00902DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00902E1C
GetWindowLongW.USER32(?,000000F0), ref: 00902E4F
GetWindowLongW.USER32(?,000000F0), ref: 00902E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00902EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00902EE0
GetWindowLongW.USER32(?,000000F0), ref: 00902EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00902F0B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6128f12715adcbf18c63552b61fa86d074299843e5c537c49a92cf227a79a241
Instruction ID: ad81c6a4e5b5f9b1e9a49f67c152deac849a72112c819c94f63e1d708400b27f
Opcode Fuzzy Hash: 6128f12715adcbf18c63552b61fa86d074299843e5c537c49a92cf227a79a241
Instruction Fuzzy Hash: 01310634698151AFDB21CF58DC88F6537E9FB8AB50F150164FA058F2F2CB71A880EB41

Function 008D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D778F
SysAllocString.OLEAUT32(00000000), ref: 008D7792
SysAllocString.OLEAUT32(?), ref: 008D77B0
SysFreeString.OLEAUT32(?), ref: 008D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008D77DE
SysAllocString.OLEAUT32(?), ref: 008D77EC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 82c2d6ef4bc21a7183eec9281f80749a1a020bdd76d40f700986a74d397d83bc
Instruction ID: f30b93acf30f132ec0b3d9a0679d89195b182a098b8accd5ebc8cb966d83da11
Opcode Fuzzy Hash: 82c2d6ef4bc21a7183eec9281f80749a1a020bdd76d40f700986a74d397d83bc
Instruction Fuzzy Hash: AE219576608219AFDB10EFA8CC84CBB77ACFB097647048626FA15DB2A1E670DC418764

Function 008D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D7868
SysAllocString.OLEAUT32(00000000), ref: 008D786B
SysAllocString.OLEAUT32 ref: 008D788C
SysFreeString.OLEAUT32 ref: 008D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 008D78AF
SysAllocString.OLEAUT32(?), ref: 008D78BD

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d8ab61663d86d34c83220e8e267fbb61343bb7ab02b25ca15964cbb8f38cadce
Instruction ID: b7ba00616c8fa0d54efb7b0bc5e54f50eea13eae41b0117dc8053b18a074cc60
Opcode Fuzzy Hash: d8ab61663d86d34c83220e8e267fbb61343bb7ab02b25ca15964cbb8f38cadce
Instruction Fuzzy Hash: FB214475608108AFDB10AFA8DC89DAA77ECFB097607108236F915CB2A1E674DC41DB68

Function 008E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E052E

Strings

nul, xrefs: 008E0567

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1aa3d50539942dda9ba1b1f47aa6f43a06e4341e0363e8d0150569a050d61c97
Instruction ID: 6a8b63666489e708f038dc0d72829a536f717531ad38ce8d0b063ce91767698c
Opcode Fuzzy Hash: 1aa3d50539942dda9ba1b1f47aa6f43a06e4341e0363e8d0150569a050d61c97
Instruction Fuzzy Hash: 88212AB5504345AFDB209F6ADC44A9A7BB4FF46724F604E19F8A1E62E0D7B0D980DF20

Function 008E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E0601

Strings

nul, xrefs: 008E0639

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 79a7639a59d5b2bba985161c989f0b0139b74966b6218c7fc9ce9e31dcde3c87
Instruction ID: 1dab7e7a4616041ed4530fe269ecafaad6958effa0a3c9cb081be47917d0ff4e
Opcode Fuzzy Hash: 79a7639a59d5b2bba985161c989f0b0139b74966b6218c7fc9ce9e31dcde3c87
Instruction Fuzzy Hash: FE215C755003459FDB209F6A9804A9A77A4FFA6724F240F19F8A1E62E0D6B098A0CF10

Function 009040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0087600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0087604C
Part of subcall function 0087600E: GetStockObject.GDI32(00000011), ref: 00876060
Part of subcall function 0087600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0087606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00904112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0090411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0090412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00904139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00904145

Strings

Msctls_Progress32, xrefs: 009040E3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af272d942879459aa8d1b4729870456de73aeea43fb3cfd15a03f59c3c6b1123
Instruction ID: c0e5522507e5fcfb3001a4a01263578d832c6398fb8a8373c5a555d40984e445
Opcode Fuzzy Hash: af272d942879459aa8d1b4729870456de73aeea43fb3cfd15a03f59c3c6b1123
Instruction Fuzzy Hash: 871193B215011DBEEF218F64CC85EE77F6DEF18798F004110B718E2190CA729C61DBA4

Function 008AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008AD7A3: _free.LIBCMT ref: 008AD7CC

_free.LIBCMT ref: 008AD82D

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008AD838
_free.LIBCMT ref: 008AD843
_free.LIBCMT ref: 008AD897
_free.LIBCMT ref: 008AD8A2
_free.LIBCMT ref: 008AD8AD
_free.LIBCMT ref: 008AD8B8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b71c5759d9493e1b6ab6ccd71d39aa440f5665ef5ed3824197578a34cd4075ff
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 58113D71540B04AAE531BFB8CC47FCB7BDCFF02700F440825B29AE6CA2DA65B5058652

Function 008DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008DDA74
LoadStringW.USER32(00000000), ref: 008DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008DDA91
LoadStringW.USER32(00000000), ref: 008DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008DDAB9

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9d365c54b1917b29b14deef9f299ad05cd811bcccfc8a41b68b2d2efd6f1ac6d
Instruction ID: 6e74a13623ea6268e8353e83c7d43cb2f16ec366be89b3601b5736d47c578d04
Opcode Fuzzy Hash: 9d365c54b1917b29b14deef9f299ad05cd811bcccfc8a41b68b2d2efd6f1ac6d
Instruction Fuzzy Hash: 590186F69043187FE750ABA4DD89EEB336CE708305F404692F746E2081E6749E844F74

Function 008E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012CD398,012CD398), ref: 008E097B
EnterCriticalSection.KERNEL32(012CD378,00000000), ref: 008E098D
TerminateThread.KERNEL32(?,000001F6), ref: 008E099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008E09A9
CloseHandle.KERNEL32(?), ref: 008E09B8
InterlockedExchange.KERNEL32(012CD398,000001F6), ref: 008E09C8
LeaveCriticalSection.KERNEL32(012CD378), ref: 008E09CF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e8ebbd3ceb1aeb08b7a4e241173dd88eb5528bc081d404fe07a0cde2d5e3fcd0
Instruction ID: 0c92de8085aa507457dba42ca0c549ebf7db779de04765d6dcb1a48ba5fe5f06
Opcode Fuzzy Hash: e8ebbd3ceb1aeb08b7a4e241173dd88eb5528bc081d404fe07a0cde2d5e3fcd0
Instruction Fuzzy Hash: ABF03171456502BFD7416F94EE8CBD67B35FF01702F401215F10190CA1C77494A5DF90

Function 008F1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 008F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008F1DE1
WSAGetLastError.WSOCK32 ref: 008F1DF2
htons.WSOCK32(?,?,?,?,?), ref: 008F1EDB
inet_ntoa.WSOCK32(?), ref: 008F1E8C

Part of subcall function 008D39E8: _strlen.LIBCMT ref: 008D39F2

Part of subcall function 008F3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,008EEC0C), ref: 008F3240

_strlen.LIBCMT ref: 008F1F35

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: e7523ea926ff726b796deae2368480bfb3c50a81c7a6ec15f442ee250ecf7190
Instruction ID: a29c59cea261a04695d3ba0e26654b804347172de0ffcad396fa8f81f82b14b6
Opcode Fuzzy Hash: e7523ea926ff726b796deae2368480bfb3c50a81c7a6ec15f442ee250ecf7190
Instruction Fuzzy Hash: A9B1BE30204344AFC724EF28C889E3A7BA5FF85318F54855CF55A9B2A2DB31ED45CB92

Function 00875D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00875D30
GetWindowRect.USER32(?,?), ref: 00875D71
ScreenToClient.USER32(?,?), ref: 00875D99
GetClientRect.USER32(?,?), ref: 00875ED7
GetWindowRect.USER32(?,?), ref: 00875EF8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c6e8c3d19612f7f43743bf243e4512faf4681093fa1b6a568845d11fe6a1cca0
Instruction ID: fc1f42a078a210cd0f8c29d9d19cc5d4ef523d6e6d17c2e2f26901730813448b
Opcode Fuzzy Hash: c6e8c3d19612f7f43743bf243e4512faf4681093fa1b6a568845d11fe6a1cca0
Instruction Fuzzy Hash: F0B17735A00A4ADBDB10CFA9C4817EEBBF1FF58310F14951AE8AAD7254DB30EA40DB50

Function 008A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A00D6
__allrem.LIBCMT ref: 008A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A010B
__allrem.LIBCMT ref: 008A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A0140

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 84c86851604e99395b9e4c84146bed8f3c6d867898e153ec4ab569d0ef3fa8e4
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: B881C771A00B069BFB24AF6CCC41BAA73E9FF52764F244539F551D7A82EB70D9008B51

Function 008A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008982D9,008982D9,?,?,?,008A644F,00000001,00000001,8BE85006), ref: 008A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008A644F,00000001,00000001,8BE85006,?,?,?), ref: 008A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008A63D8
__freea.LIBCMT ref: 008A63E5

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

__freea.LIBCMT ref: 008A63EE
__freea.LIBCMT ref: 008A6413

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4618e9ab21a01c98c7d5d3c3fd043daa8c22a3f5a524166dbfccdf22a6bb918d
Instruction ID: 8e0184c18aac29f6034b715578b403f23f0b5e08e86cb3b124edaf0e481916e9
Opcode Fuzzy Hash: 4618e9ab21a01c98c7d5d3c3fd043daa8c22a3f5a524166dbfccdf22a6bb918d
Instruction Fuzzy Hash: F351BF72A00216AFFF258F64CC81EAF76A9FF46710F184629F905D6644FB34DC61D660

Function 008FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FC9F1
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA68
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008FBD25
RegCloseKey.ADVAPI32(00000000), ref: 008FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008FBDF3
RegCloseKey.ADVAPI32(?), ref: 008FBDFF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a8199cb1cb588332579db9cf5a65be9994bfe77aa17732880b868125785c4563
Instruction ID: 5b32e6fecfdb354c92928161f8dd02950433e9a13ceaaa103d604e5e93e4a4f4
Opcode Fuzzy Hash: a8199cb1cb588332579db9cf5a65be9994bfe77aa17732880b868125785c4563
Instruction Fuzzy Hash: 3981A270108245EFD714DF24C881E2ABBE5FF84348F14855CF6598B2A2DB31ED45CB92

Function 008CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008CF7B9
SysAllocString.OLEAUT32(00000001), ref: 008CF860
VariantCopy.OLEAUT32(008CFA64,00000000), ref: 008CF889
VariantClear.OLEAUT32(008CFA64), ref: 008CF8AD
VariantCopy.OLEAUT32(008CFA64,00000000), ref: 008CF8B1
VariantClear.OLEAUT32(?), ref: 008CF8BB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f8ae28edcffaacd7202ed3567f722b7c2e330ba3228027dbbf17e564ec45bc6f
Instruction ID: 54a6303aa16fce4236f0b5a469085f8814300afcc8c8aadcf26f7831b8f471e9
Opcode Fuzzy Hash: f8ae28edcffaacd7202ed3567f722b7c2e330ba3228027dbbf17e564ec45bc6f
Instruction Fuzzy Hash: 1E51E331600314ABEF24AB69D895F29B7B6FF45314B20846AEA05DF297DB70CC44C757

Function 008E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008E94E5
_wcslen.LIBCMT ref: 008E9506
_wcslen.LIBCMT ref: 008E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 008E9585

Strings

X, xrefs: 008E9412

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c30ae7b558e624f8c9c5dac2570d11b800e0ba0a111ab5056cf906677f08e2e8
Instruction ID: 7a4524502062b0033b4fe9006c21efc2fb0f4d4f150e9708995f474a6e340f6c
Opcode Fuzzy Hash: c30ae7b558e624f8c9c5dac2570d11b800e0ba0a111ab5056cf906677f08e2e8
Instruction Fuzzy Hash: E5E1AF315083409FD724EF29C881A6AB7E0FF86314F14896DF899DB2A2DB71DD45CB92

Function 0088920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

BeginPaint.USER32(?,?,?), ref: 00889241
GetWindowRect.USER32(?,?), ref: 008892A5
ScreenToClient.USER32(?,?), ref: 008892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008892D3
EndPaint.USER32(?,?,?,?,?), ref: 00889321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008C71EA

Part of subcall function 00889339: BeginPath.GDI32(00000000), ref: 00889357

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 546c90569972ea1dd072e4ff79b5c782b919940b62cacf8086fe07ae28e611a8
Instruction ID: 84d55b1b8ee8abcd8fafa5b857bc3a1cdfa8b7dab8bfb7bad58b0ce411c15af9
Opcode Fuzzy Hash: 546c90569972ea1dd072e4ff79b5c782b919940b62cacf8086fe07ae28e611a8
Instruction Fuzzy Hash: A2419D70108201AFD721EF64DC84FBA7BB8FB56324F180269F9A5C72E1C7719845EB62

Function 008E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008E0847
EnterCriticalSection.KERNEL32(?), ref: 008E0863
LeaveCriticalSection.KERNEL32(?), ref: 008E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 008E0921

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 12577c0988a86955f5350d55d64627bf5aeab2eeca88e6c66c3a5a4d07b18cde
Instruction ID: 8e8e191644a4039e8168b7a837e55030a4ccb282ac60318addcdee9ebcb89342
Opcode Fuzzy Hash: 12577c0988a86955f5350d55d64627bf5aeab2eeca88e6c66c3a5a4d07b18cde
Instruction Fuzzy Hash: 5C415671900205EFDF14AF58DC85AAA77B8FF45300B1444A5E900DE297DB70DEA1DFA1

Function 009081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008CF3AB,00000000,?,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 0090824C
EnableWindow.USER32(?,00000000), ref: 00908272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009082D1
ShowWindow.USER32(?,00000004), ref: 009082E5
EnableWindow.USER32(?,00000001), ref: 0090830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0090832F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 90a34274ae268553621eabaacd7fe4dd05f99e4029af535899273648ef939ac8
Instruction ID: c48d14c2e69fa968cde2e170dae8d0046e5317c0745189575e058df4a5d593f3
Opcode Fuzzy Hash: 90a34274ae268553621eabaacd7fe4dd05f99e4029af535899273648ef939ac8
Instruction Fuzzy Hash: 0241D534705644EFDF25CF18D899FE57BE4FB4A754F180268E6984B2E2CB31A881DB40

Function 008D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008D4CEA
_wcslen.LIBCMT ref: 008D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008D4D10
_wcsstr.LIBVCRUNTIME ref: 008D4D1A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 42a05d122d3cffccda830d23c4b9c1b05736313b611fa1fc2448b806dd2924ab
Instruction ID: 9fe091df673739a74e4176e64679b55707ff8d8f188ac3ac981b553f193376ce
Opcode Fuzzy Hash: 42a05d122d3cffccda830d23c4b9c1b05736313b611fa1fc2448b806dd2924ab
Instruction Fuzzy Hash: AE214972204205BFEB256B39DC09E3B7B9DFF45710F10522AF805CA292DE71CC0193A0

Function 008E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

_wcslen.LIBCMT ref: 008E587B
CoInitialize.OLE32(00000000), ref: 008E5995
CoCreateInstance.OLE32(0090FCF8,00000000,00000001,0090FB68,?), ref: 008E59AE
CoUninitialize.OLE32 ref: 008E59CC

Strings

.lnk, xrefs: 008E5876, 008E58C1, 008E5985

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c6be00a0086cc48dde41f3a929ed42a39f292a3fd5d7c5c263eccf017af2be64
Instruction ID: 2e8130565f778e3e18cbd65aaef581c182e74550533f3b5093e2f072c9e37c14
Opcode Fuzzy Hash: c6be00a0086cc48dde41f3a929ed42a39f292a3fd5d7c5c263eccf017af2be64
Instruction Fuzzy Hash: FFD155716086019FC714EF29C48096ABBE1FF8A728F14885DF889DB361DB31ED45CB92

Function 008D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D0FCA
Part of subcall function 008D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D0FD6
Part of subcall function 008D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D0FE5
Part of subcall function 008D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D0FEC
Part of subcall function 008D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D1002

GetLengthSid.ADVAPI32(?,00000000,008D1335), ref: 008D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008D17BA
HeapAlloc.KERNEL32(00000000), ref: 008D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008D17DA
GetProcessHeap.KERNEL32(00000000,00000000,008D1335), ref: 008D17EE
HeapFree.KERNEL32(00000000), ref: 008D17F5

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f7da7c36161eedd77331d84b46e088c18bbf9b7f02764cd27fdf26019b73da19
Instruction ID: 896b1f691a5cdd06d1ebd03367be58a68db2af1b5b58babd11b59318c8babbae
Opcode Fuzzy Hash: f7da7c36161eedd77331d84b46e088c18bbf9b7f02764cd27fdf26019b73da19
Instruction Fuzzy Hash: D3118971618205FFDF109FA4CC49BAE7BB9FF45355F10421AE441D7224C735A940DB60

Function 008D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008D1515
CloseHandle.KERNEL32(00000004), ref: 008D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 008D1563

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7e17b18dc04177b0449ee62765863fce3be87213accc1d3caa8a9d2de034b8e3
Instruction ID: e3bae644f5088553ede57ab9f52d91c22db61d8846041172b8a87f4bbb7a9049
Opcode Fuzzy Hash: 7e17b18dc04177b0449ee62765863fce3be87213accc1d3caa8a9d2de034b8e3
Instruction Fuzzy Hash: F41117B2514209BFDF118F98ED49BDA7BBAFF48744F048215FA05E21A0C3758E60EB60

Function 00893382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00893379,00892FE5), ref: 00893390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0089339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008933B7
SetLastError.KERNEL32(00000000,?,00893379,00892FE5), ref: 00893409

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6da13c6f64f5252fbcbe90772b4966021a0c4c152ac1b654090b9267ef45ca6e
Instruction ID: d3c4f591ef4e5afb9ec2dd8a93600e1263790e4f585a304314de836c9bbad6fb
Opcode Fuzzy Hash: 6da13c6f64f5252fbcbe90772b4966021a0c4c152ac1b654090b9267ef45ca6e
Instruction Fuzzy Hash: 2301247222D711BEEF2937787C859272A94FB253793280329F411D02F0EF114D027A45

Function 008A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008A5686,008B3CD6,?,00000000,?,008A5B6A,?,?,?,?,?,0089E6D1,?,00938A48), ref: 008A2D78
_free.LIBCMT ref: 008A2DAB
_free.LIBCMT ref: 008A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0089E6D1,?,00938A48,00000010,00874F4A,?,?,00000000,008B3CD6), ref: 008A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0089E6D1,?,00938A48,00000010,00874F4A,?,?,00000000,008B3CD6), ref: 008A2DEC
_abort.LIBCMT ref: 008A2DF2

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 59a2c7de08474568023d62c5bf69c63b4b173db8ddcaca1ed642008277967b75
Instruction ID: 6d1aeafa1d128bb22b99ed211cf50fbecaa7921e29c11756e192f61b1094e82b
Opcode Fuzzy Hash: 59a2c7de08474568023d62c5bf69c63b4b173db8ddcaca1ed642008277967b75
Instruction Fuzzy Hash: 6CF0A471519A046BF632277DBC06F1B265AFFC37A5F250618F924D29D3FF2488016162

Function 00908A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00889639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00889693
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896A2
Part of subcall function 00889639: BeginPath.GDI32(?), ref: 008896B9
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00908A4E
LineTo.GDI32(?,00000003,00000000), ref: 00908A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00908A70
LineTo.GDI32(?,00000000,00000003), ref: 00908A80
EndPath.GDI32(?), ref: 00908A90
StrokePath.GDI32(?), ref: 00908AA0

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c52179808d3e8d5ce7b2d0af0d1dda1eabb6853d20da47c925b8de0fea96d4ac
Instruction ID: 6d3fcacdbf73ec63a08929bc960804cb3bcbc165214bb6a5917fdabc9305cf73
Opcode Fuzzy Hash: c52179808d3e8d5ce7b2d0af0d1dda1eabb6853d20da47c925b8de0fea96d4ac
Instruction Fuzzy Hash: E5110976104109FFEF129F94DC88EAA7F6CEB08390F048112FA599A1A1C7719D55EBA0

Function 008D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008D5230
ReleaseDC.USER32(00000000,00000000), ref: 008D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008D5261

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 14efb63202febf19b0cf66d552ff2bda5a8b53d903c2ceea2c921fdc132bef5c
Instruction ID: ff5f9126e48bb23d0f5af5173952fdcfb17a0035947bad2073a1a14dea619cf3
Opcode Fuzzy Hash: 14efb63202febf19b0cf66d552ff2bda5a8b53d903c2ceea2c921fdc132bef5c
Instruction Fuzzy Hash: 99014FB5A04719BFEB109BA59C49F5EBFB8FB48751F044166FA04E7281DA709804DFA0

Function 00871BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00871BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00871BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00871C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00871C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00871C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00871C22

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c4b6f13375f9ff4c3ffbc1af26b9229e8ffdad016280eed70d110b1024670be4
Instruction ID: 570fd1afc261f3e1153463b832deee2c304fd438f33f6f6741e4a6a76d5252c1
Opcode Fuzzy Hash: c4b6f13375f9ff4c3ffbc1af26b9229e8ffdad016280eed70d110b1024670be4
Instruction Fuzzy Hash: DB016CB090275A7DE3008F5A8C85B52FFE8FF19354F00411B915C47941C7F5A864CBE5

Function 008DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008DEB75

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 09934cc318158c6b761a01dde02bad44e38e0ca3d4adda61fc1c22d2e26b23d6
Instruction ID: 71d261b0b032f6963daae335ed9864ebb9776a947ae53df5273b1154155fd8ad
Opcode Fuzzy Hash: 09934cc318158c6b761a01dde02bad44e38e0ca3d4adda61fc1c22d2e26b23d6
Instruction Fuzzy Hash: F5F09AB2214119BFE7205B629C0EEEF3A7CEFCAF11F000259F601E1090D7A11A01EAB4

Function 008C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008C7469
GetWindowDC.USER32(?), ref: 008C7475
GetPixel.GDI32(00000000,?,?), ref: 008C7484
ReleaseDC.USER32(?,00000000), ref: 008C7496
GetSysColor.USER32(00000005), ref: 008C74B0

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5b45b341e7d15a2d20618e0ad47193fdda6da1a55e4403e89d0d739ce60b28bb
Instruction ID: 91da6a0045ac6b0145695f8c0a25b9d911b3bb8fd4619c4ee6f80ca2ee26b3bc
Opcode Fuzzy Hash: 5b45b341e7d15a2d20618e0ad47193fdda6da1a55e4403e89d0d739ce60b28bb
Instruction Fuzzy Hash: A2018B7141820AFFDB605F64DC08FAA7BB5FF04321F100264FA15A20A0CB311E41BF10

Function 008D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008D187F
UnloadUserProfile.USERENV(?,?), ref: 008D188B
CloseHandle.KERNEL32(?), ref: 008D1894
CloseHandle.KERNEL32(?), ref: 008D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008D18A5
HeapFree.KERNEL32(00000000), ref: 008D18AC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 442514f329f9c323caba379569c1653dc24cb65150f052f50d224ccc33f01419
Instruction ID: 958b2c3799fb9828ffe69f494979f92b8f34f0041ca4e5ad02a6fcffd401830e
Opcode Fuzzy Hash: 442514f329f9c323caba379569c1653dc24cb65150f052f50d224ccc33f01419
Instruction Fuzzy Hash: D2E0E5B602C101BFDB015FA1ED0C90ABF39FF49B22B108320F225810B0CB329460EF90

Function 008DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008DC6EE
_wcslen.LIBCMT ref: 008DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008DC7CA

Strings

0, xrefs: 008DC6AF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 879cd09359eb0b50c9e4dd140c0d8f40fe4e8cbb4ebb649c191f4a97cd7c9e53
Instruction ID: fb0b9bdade0a59b82a3b3a3064c0aa688a8dc73421e53d795b6b0273b4bb38bc
Opcode Fuzzy Hash: 879cd09359eb0b50c9e4dd140c0d8f40fe4e8cbb4ebb649c191f4a97cd7c9e53
Instruction Fuzzy Hash: B951DC716183029BD724AF2CD885B6AB7E8FF89314F040B2EF995D23A1DB70D844DB52

Function 008FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 008FAEA3

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

GetProcessId.KERNEL32(00000000), ref: 008FAF38
CloseHandle.KERNEL32(00000000), ref: 008FAF67

Strings

@, xrefs: 008FAE72
<, xrefs: 008FAE6B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: edc4a6941751cab12372427f3a5ceaae474bab75a76c3d1676d3151e7795ab23
Instruction ID: 8a48a6f0237ddda6269c69f88c172b47046576fcc5a940543e07e40cf04cf8f0
Opcode Fuzzy Hash: edc4a6941751cab12372427f3a5ceaae474bab75a76c3d1676d3151e7795ab23
Instruction Fuzzy Hash: 80713B75A00219DFCB14DF68C484AAEBBB4FF08314F148459E91AEB351CB74ED41CB92

Function 008D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008D72CF

Strings

DllGetClassObject, xrefs: 008D7242

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b9d3da890a1bdf55f5373322021fc5c3455d2f9f80c5f123666203f71f334b44
Instruction ID: 0891586206ee4a8fb21b4df90c9131f1023d654924c82aba6de230783205150e
Opcode Fuzzy Hash: b9d3da890a1bdf55f5373322021fc5c3455d2f9f80c5f123666203f71f334b44
Instruction Fuzzy Hash: DE417FB1604204EFDB15CF54C884A9A7BA9FF44314F1482AEBD06DF30AE7B0D944CBA0

Function 00903D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00903E35
IsMenu.USER32(?), ref: 00903E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00903E92
DrawMenuBar.USER32 ref: 00903EA5

Strings

0, xrefs: 00903D89

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2c2f336dbde31ab185b56440aa4fa0a722d72bf9d920a57595166f02661ec625
Instruction ID: 0e8f732c724307e26351188aa7824d955a45bb61eb1f20ea0b4ac604bf38cdf0
Opcode Fuzzy Hash: 2c2f336dbde31ab185b56440aa4fa0a722d72bf9d920a57595166f02661ec625
Instruction Fuzzy Hash: AA413879A15209EFDB10DF54D884EAABBBDFF49354F048229F905A7290D730AE44DF50

Function 008D1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008D1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008D1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008D1EA9

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Strings

ListBox, xrefs: 008D1E25
ComboBox, xrefs: 008D1DF0

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 71ff38a902072ccba6786ea21a9e27612dd2c53b6d2fa92ad99d6cc691f797fe
Instruction ID: 044a973bcf05606164b4adc331aaa5ac7866bf6d55580fb323a44c16c5c7dc34
Opcode Fuzzy Hash: 71ff38a902072ccba6786ea21a9e27612dd2c53b6d2fa92ad99d6cc691f797fe
Instruction Fuzzy Hash: B1210B71A00104BFDF14AB68DC4ACFFB7B9FF45354B14421AF815E72E1DB354A069621

Function 00902F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00902F8D
LoadLibraryW.KERNEL32(?), ref: 00902F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00902FA9
DestroyWindow.USER32(?), ref: 00902FB1

Strings

SysAnimate32, xrefs: 00902F68

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a1f2eae07717688dfc50ad1096431dd9801aef564cf3665d959e853c53bc8f5b
Instruction ID: be9de8ecd798a2ee923887b6ee7de88c86b8d8f4723862f0e7c1358af8648656
Opcode Fuzzy Hash: a1f2eae07717688dfc50ad1096431dd9801aef564cf3665d959e853c53bc8f5b
Instruction Fuzzy Hash: 5E219D7120420AAFEB215F64DC88EBB77BDEB993A4F104618FA50D21D0D771DC91A760

Function 00894D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00894D1E,008A28E9,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002), ref: 00894D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00894DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00894D1E,008A28E9,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002,00000000), ref: 00894DC3

Strings

mscoree.dll, xrefs: 00894D86
CorExitProcess, xrefs: 00894D98

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e144620e6a3e4bad2dee7aca57362f6fa4f807e463fc3eef49619d4cd283aa30
Instruction ID: d950f15050f3a4f61fe558acdf5772d28f7c9a7410c75d950277f620a45f09cf
Opcode Fuzzy Hash: e144620e6a3e4bad2dee7aca57362f6fa4f807e463fc3eef49619d4cd283aa30
Instruction Fuzzy Hash: A5F0AF74A14208BFDF11AF90DC09BEDBBF4EF84752F0401A4F809E22A0DB715981EB90

Function 00874E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00874EAE
FreeLibrary.KERNEL32(00000000,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00874EA8
kernel32.dll, xrefs: 00874E94

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0f36a7e9d3ce9faf3fe97ec7eed107ddbe61c49d25e56d858a4d1b77af49272a
Instruction ID: 0fe67b2b90f83fe75b5470eee2780fa65f0da3bf25f47e8206808f820584c635
Opcode Fuzzy Hash: 0f36a7e9d3ce9faf3fe97ec7eed107ddbe61c49d25e56d858a4d1b77af49272a
Instruction Fuzzy Hash: B8E0C277A1E6229FD3721B25AC18B6F7698FFC2F76B054215FC08E2244DBA4CD0194E0

Function 00874E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00874E74
FreeLibrary.KERNEL32(00000000,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00874E6E
kernel32.dll, xrefs: 00874E5B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: fce5224bab7eb738cb05a1c3abeeae9a4c8c2e3de317fcb444ee51ca62c52ef3
Instruction ID: 3d5bcc1fec900f54454cb5f10e3977e65cd2a417c9875fbd838a02780b84f583
Opcode Fuzzy Hash: fce5224bab7eb738cb05a1c3abeeae9a4c8c2e3de317fcb444ee51ca62c52ef3
Instruction Fuzzy Hash: 83D0C23351A6215BC6621B246C08D8B2A1CFF85B353459310B808E2158CF60CD01D6D0

Function 008E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E2C05
DeleteFileW.KERNEL32(?), ref: 008E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E2CC0

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 99941b0228a5bc32eef80201522e37957df9f8970f5cf0e7603f748714dd1867
Instruction ID: 15842d1aba19781bfa6fbd85a98c068cb2691f66688c99ecd283ca29ec4b37ea
Opcode Fuzzy Hash: 99941b0228a5bc32eef80201522e37957df9f8970f5cf0e7603f748714dd1867
Instruction Fuzzy Hash: 7CB14E71900129ABDF21EBA9CC85EDEB7BDFF49350F1040A6F609E6145EA709A448F62

Function 008FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008FA468
CloseHandle.KERNEL32(?), ref: 008FA63D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8ac4dff467601a8a3ca5a99563ea9d4e653a5f422a0ced1fa84bafb6c9fd3864
Instruction ID: 672cbd31eeb9b19784710d135873d0df74aa895443670a238ab2c380f9bb13e1
Opcode Fuzzy Hash: 8ac4dff467601a8a3ca5a99563ea9d4e653a5f422a0ced1fa84bafb6c9fd3864
Instruction Fuzzy Hash: 68A14DB16043019FD724DF28C886B2AB7E5FF44714F14895DF55ADB292DBB0EC418B92

Function 008ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00913700), ref: 008ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0094121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00941270,000000FF,?,0000003F,00000000,?), ref: 008ABC36
_free.LIBCMT ref: 008ABB7F

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008ABD4B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: a6581b6358f6b8c11dd6b7043539cfc29c7c41a0b3cecb7d54f1c367682abae6
Instruction ID: 288221571c6324348d29b68ca1de18e1b15fb04e788dc4d4f7e59549370b6c77
Opcode Fuzzy Hash: a6581b6358f6b8c11dd6b7043539cfc29c7c41a0b3cecb7d54f1c367682abae6
Instruction Fuzzy Hash: 08511A71904219AFEB14EF699C41DAEB7BCFF43330F10026AE520D7692EB709E819B51

Function 008DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008DCF22,?), ref: 008DDDFD

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008DCF22,?), ref: 008DDE16

Part of subcall function 008DE199: GetFileAttributesW.KERNEL32(?,008DCF95), ref: 008DE19A

lstrcmpiW.KERNEL32(?,?), ref: 008DE473
MoveFileW.KERNEL32(?,?), ref: 008DE4AC
_wcslen.LIBCMT ref: 008DE5EB
_wcslen.LIBCMT ref: 008DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008DE650

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: caa09b730df793d54a14271e390372dc2bd3ece5f0d4cad151874d7b768d4f9a
Instruction ID: c513ebd86e00f5d67186e25d23e2500cbd8fb69695f27e3c4e263080344fa494
Opcode Fuzzy Hash: caa09b730df793d54a14271e390372dc2bd3ece5f0d4cad151874d7b768d4f9a
Instruction Fuzzy Hash: 7D515FB24087455BCB24EB94D8819DB73ECFF94344F004A2FF589D7291EE74A688876B

Function 008FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FC9F1
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA68
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008FBB63
RegCloseKey.ADVAPI32(?,?), ref: 008FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 008FBBB3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9076bf4e3437d02cdef87ee7df9aafcf534adf16528b2b417c721e7120955fe8
Instruction ID: ea9ccec9fb3d6d9912d812b9981d9269010a98c6cc49b14dbcb4077a2f6276b7
Opcode Fuzzy Hash: 9076bf4e3437d02cdef87ee7df9aafcf534adf16528b2b417c721e7120955fe8
Instruction Fuzzy Hash: 6E61A071208245AFD714DF24C491E3ABBE9FF84318F14895CF5998B2A2DB31ED45CB92

Function 008D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D8BCD
VariantClear.OLEAUT32 ref: 008D8C3E
VariantClear.OLEAUT32 ref: 008D8C9D
VariantClear.OLEAUT32(?), ref: 008D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008D8D3B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: fdb1e837269735d852826b37f9395a565fa3a14356586f895b1cde321ad7a42a
Instruction ID: b66716b378f71e01878093b8f0e8d66d6c3c731d40af6280b08659d66b62b9b0
Opcode Fuzzy Hash: fdb1e837269735d852826b37f9395a565fa3a14356586f895b1cde321ad7a42a
Instruction Fuzzy Hash: AC5159B5A10219EFCB14CF68C894AAAB7F9FF89314B15865AE905DB350E730E911CF90

Function 008E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008E8C5F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8f8ffb28176889daf0ee7ee2bf94522a731edcc10905316bbcc6a2868f04cd2c
Instruction ID: db18e1931e524b0966811ae1b283cbe8ce588f634b51d71a1abc917ed1ec2773
Opcode Fuzzy Hash: 8f8ffb28176889daf0ee7ee2bf94522a731edcc10905316bbcc6a2868f04cd2c
Instruction Fuzzy Hash: 8C513635A00218DFCB05DF69C881A6DBBF5FF49314F188058E849AB362CB31ED51DB91

Function 008F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 008F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 008F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 008F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 008F9032
FreeLibrary.KERNEL32(00000000), ref: 008F9052

Part of subcall function 0088F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008E1043,?,7529E610), ref: 0088F6E6
Part of subcall function 0088F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008CFA64,00000000,00000000,?,?,008E1043,?,7529E610,?,008CFA64), ref: 0088F70D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 235c122fe8f66449d9f02c8268e14755ed92f817702ba3532b7e2657fef7eb78
Instruction ID: 10f0f6e547b760762444d2b748d1fd8bcf643e7061abcfce9efa144f1a01f77b
Opcode Fuzzy Hash: 235c122fe8f66449d9f02c8268e14755ed92f817702ba3532b7e2657fef7eb78
Instruction Fuzzy Hash: 96512734604209DFC711DF68C4849A9BBF1FF49314B1981A8E94ADB362DB31ED85CB91

Function 00906B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00906C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00906C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00906C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008EAB79,00000000,00000000), ref: 00906C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00906CC7

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 85bb9a3234975e6bae7ae0e0840abf10855f9e62373556e11b20b5a74a64bea9
Instruction ID: bb0cd213ba70dff8aecd85dced12c5b6d0d7a7ad03f08b27e59a413b2c5ea24e
Opcode Fuzzy Hash: 85bb9a3234975e6bae7ae0e0840abf10855f9e62373556e11b20b5a74a64bea9
Instruction Fuzzy Hash: 1C41EA75A08124AFE724CF28CC54FA57BA9EB09350F140628FAD5A72E0C771ED61DA40

Function 008A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008A20C3
_free.LIBCMT ref: 008A20E3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8ec7992a71a00c7a2cbafb8e5c1bf2d516a96ecd3a1963d71fc32a6a16692617
Instruction ID: cf09f86f73eefea4bf2bea4b73b7129aa0f4ad022bade37a73ae81f85eb3e26c
Opcode Fuzzy Hash: 8ec7992a71a00c7a2cbafb8e5c1bf2d516a96ecd3a1963d71fc32a6a16692617
Instruction Fuzzy Hash: 6E41E172A006049FEB34DF7CC880A5EB7E5FF8A314F1545A9E615EB792DA31AD01CB81

Function 0088912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00889141
ScreenToClient.USER32(00000000,?), ref: 0088915E
GetAsyncKeyState.USER32(00000001), ref: 00889183
GetAsyncKeyState.USER32(00000002), ref: 0088919D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 111f5f53c41c1cee86ec63b7d68921e9d61416e58c8c935f3808e8893145b8d0
Instruction ID: 1476733cf0542977a3373856d206070dd4724b0c09750d9fa35e5d5201777809
Opcode Fuzzy Hash: 111f5f53c41c1cee86ec63b7d68921e9d61416e58c8c935f3808e8893145b8d0
Instruction Fuzzy Hash: C5417C75A0C61AAEDB05AF68C848BFEB774FB05324F24821AE465E22D0C734A950CF91

Function 008E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 008E3922
TranslateMessage.USER32(?), ref: 008E394B
DispatchMessageW.USER32(?), ref: 008E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E3966

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7e50da076a3b7bd4cee21ea8c390ed51528751f846f663b56b05fbc5bd10efa6
Instruction ID: 9883b3077d6cf23687c60b823ec178b5c44db80425fe942e751e4b953c46805e
Opcode Fuzzy Hash: 7e50da076a3b7bd4cee21ea8c390ed51528751f846f663b56b05fbc5bd10efa6
Instruction Fuzzy Hash: F131A6745183C5AEEB35DB36984DFB63BA8FB07304F040569E462D31A1E3B49E85DB21

Function 008ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,008EC21E,00000000), ref: 008ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 008ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,008EC21E,00000000), ref: 008ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,008EC21E,00000000), ref: 008ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,008EC21E,00000000), ref: 008ECFF2

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 37bf2c5eb33861985fe13c1d3705a331e6714990e9c48e237e758856b5ddfbd0
Instruction ID: ebfc5a4f19eaafbb3551668ef5cf6284c4a4f198ae71d2514591f515ed0d9a1a
Opcode Fuzzy Hash: 37bf2c5eb33861985fe13c1d3705a331e6714990e9c48e237e758856b5ddfbd0
Instruction Fuzzy Hash: EE315EB1A04245EFDB20DFAAC884AABBBF9FF15355B10442EF516D2141DB70EE42DB60

Function 008D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008D19E2

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3ddbd794432df34f4908154e35f7ba2d62134b46cc92787955a86fc94afefce3
Instruction ID: 79f7ab784eae34c7a9fa6dde2b51c8fc618414ab940ef374e31fd1a2563662a8
Opcode Fuzzy Hash: 3ddbd794432df34f4908154e35f7ba2d62134b46cc92787955a86fc94afefce3
Instruction Fuzzy Hash: D5318AB1A14219BFCB10CFA8C9A9A9E3BB5FF04315F10432AF921E72D1C7709944DB90

Function 00905706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00905745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0090579D
_wcslen.LIBCMT ref: 009057AF
_wcslen.LIBCMT ref: 009057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00905816

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e242e26f35e28ee6b04c024b77f40fcc410c9670d30ee8e5240e31de8e6b397f
Instruction ID: 459610de93d8cfd4e53290bd39a7af7e6d481b7727fc5c2ccb59429db21974bc
Opcode Fuzzy Hash: e242e26f35e28ee6b04c024b77f40fcc410c9670d30ee8e5240e31de8e6b397f
Instruction Fuzzy Hash: 64219E75904618AEDB209FA5CC84EEEBBBCFF44324F108616F929EA1D4E7708985CF50

Function 008F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008F0951
GetForegroundWindow.USER32 ref: 008F0968
GetDC.USER32(00000000), ref: 008F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 008F09B0
ReleaseDC.USER32(00000000,00000003), ref: 008F09E8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 25dd647d2d3aa36bffe2eb5a0f51935165362ed6acb066316f7e38cb1202e2fb
Instruction ID: 4d5b08a30e45179dff37b61aadc47238b7aae048fe8d60ff1f95e5bf9d2b1385
Opcode Fuzzy Hash: 25dd647d2d3aa36bffe2eb5a0f51935165362ed6acb066316f7e38cb1202e2fb
Instruction Fuzzy Hash: 4F218175A00208AFD714EF69C889AAEBBE5FF49704F048168F94AD7362DB70EC44DB50

Function 008ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008ACDE9

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008ACE0F
_free.LIBCMT ref: 008ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008ACE31

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8716db9b7e21c68a0d08699553f832228ea11b0bef67871367eb4894902f1888
Instruction ID: 0255ef0dc86a388962a1b4ac9ba021275e36562169e253e45580fff654d33d1e
Opcode Fuzzy Hash: 8716db9b7e21c68a0d08699553f832228ea11b0bef67871367eb4894902f1888
Instruction Fuzzy Hash: D00124B26052147F772117BAAC88C3B6A6CFEC3BA13140229F900D3600EB208D2191F0

Function 0088990C Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008898CC
SetTextColor.GDI32(?,?), ref: 008898D6
SetBkMode.GDI32(?,00000001), ref: 008898E9
GetStockObject.GDI32(00000005), ref: 008898F1
GetWindowLongW.USER32(?,000000EB), ref: 00889952

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 200f8c64b27b5e8408f87608d214e259fd79ae5f7b9072b85c2a7ce663b8590f
Instruction ID: d555a8fe59963c6571343abee1954e283cb2aed9425abfd8bebcfd37e6fcff3f
Opcode Fuzzy Hash: 200f8c64b27b5e8408f87608d214e259fd79ae5f7b9072b85c2a7ce663b8590f
Instruction Fuzzy Hash: C221B07114D290AFC7229F38EC98AB93F60FF17325B1D429EE9D2CA1A2C7314952DB51

Function 00889639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00889693
SelectObject.GDI32(?,00000000), ref: 008896A2
BeginPath.GDI32(?), ref: 008896B9
SelectObject.GDI32(?,00000000), ref: 008896E2

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1b894c98924cb06b42c7dae69b35309f7adfef2891a95ab2f8d32a10031979e7
Instruction ID: 548db88f6831c12bca24c3418ab7793c72e07d3178e885be3ba6265a996a2753
Opcode Fuzzy Hash: 1b894c98924cb06b42c7dae69b35309f7adfef2891a95ab2f8d32a10031979e7
Instruction Fuzzy Hash: 1E217F7482A305EFDB11EF68EC04BB93BB8FB21355F140216F460E61A0E3709891EF90

Function 008D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008D5726
_memcmp.LIBVCRUNTIME ref: 008D5744
_memcmp.LIBVCRUNTIME ref: 008D5757
_memcmp.LIBVCRUNTIME ref: 008D576F
_memcmp.LIBVCRUNTIME ref: 008D5787

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e1d7251218188ad173b3462e5b68f625ed73bd8f5f740a61358c9333e7176d50
Instruction ID: 5423454f2a780b6e9db616bb0f66c71a06b5d4d47a49da49da492e3df13c9aa7
Opcode Fuzzy Hash: e1d7251218188ad173b3462e5b68f625ed73bd8f5f740a61358c9333e7176d50
Instruction Fuzzy Hash: C001D26124560AFEEA1861149D86EBA735CFF613A8F244123FD08DA781F720EE1086A1

Function 008A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0089F2DE,008A3863,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6), ref: 008A2DFD
_free.LIBCMT ref: 008A2E32
_free.LIBCMT ref: 008A2E59
SetLastError.KERNEL32(00000000,00871129), ref: 008A2E66
SetLastError.KERNEL32(00000000,00871129), ref: 008A2E6F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 86aa28da6e56dc236cbb27c7122b6ad22dfc188da37f94ceb063f31afbcef8f9
Instruction ID: 53772ce43cc9aa33165ad1b7480140e714f75313530b0ab92d62b1eb2578f302
Opcode Fuzzy Hash: 86aa28da6e56dc236cbb27c7122b6ad22dfc188da37f94ceb063f31afbcef8f9
Instruction Fuzzy Hash: 2F012872219A006BF632677D6C46E2B265DFBD37B5B240128F425E29D3FF74CCA16122

Function 008D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?,?,008D035E), ref: 008D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?), ref: 008D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0070

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c1a95507f1d1fcd2def7471d36cfd884d4ca59bedec365c4d075e1967a283ba3
Instruction ID: 99fd0c6d8ee53222562b671b80ba1c8aacd5fbefc298152598c5be7fe9f1cdb1
Opcode Fuzzy Hash: c1a95507f1d1fcd2def7471d36cfd884d4ca59bedec365c4d075e1967a283ba3
Instruction Fuzzy Hash: B2018BB2610604BFDB108F68DC04BAA7BADFF84792F148225FD05D2210E771DD40ABA0

Function 008DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008DE9A5
Sleep.KERNEL32(00000000), ref: 008DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008DE9B7
Sleep.KERNEL32 ref: 008DE9F3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ed175625cce60bf06951fb96bd75bd327e6351062ccb2b28e0f72fe87fe707a1
Instruction ID: b26d718c23f27de324b8a19d599d0dd54aac04530d1aecbcf542de04afaac7da
Opcode Fuzzy Hash: ed175625cce60bf06951fb96bd75bd327e6351062ccb2b28e0f72fe87fe707a1
Instruction Fuzzy Hash: 8C015771C0A62DEBCF40ABE5D869AEDBB78FB08310F000656E502F6240CB3095519BA1

Function 008D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D114D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 33926488fa95004251c009acd4a44f598a246a1c5fad631dc2fe65c9684b3028
Instruction ID: 3e87a38136acbb2d1d975af4c7f0f90bdd6064a4dc7a67cc4aab146536611c24
Opcode Fuzzy Hash: 33926488fa95004251c009acd4a44f598a246a1c5fad631dc2fe65c9684b3028
Instruction Fuzzy Hash: 470119B5214205BFEF114FA5DC4DA6A3B7EFF893A0B204619FA45D7360DA31DC40AA60

Function 008D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D1002

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4637dc3e0d06ee1abe08063c0300b731189ea6c45fcbde5cb03be8c72bd20ff2
Instruction ID: 0ece57ff2ea78184224a6a54a1fe5f5c33de57db2963b763cf0cc978aaa31af2
Opcode Fuzzy Hash: 4637dc3e0d06ee1abe08063c0300b731189ea6c45fcbde5cb03be8c72bd20ff2
Instruction Fuzzy Hash: E2F049B5214701BFDB215FA4AC4DF563BADFF89B62F104615FA45C6291CA70DC809A60

Function 008D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1062

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dcc10477520287629807fababaa7671c3373a83efe771dc23d5a65f690013749
Instruction ID: b4a78b7fb19eee4dc93d34897fb120d57cbca1f84ce8f533f315ca4379d80006
Opcode Fuzzy Hash: dcc10477520287629807fababaa7671c3373a83efe771dc23d5a65f690013749
Instruction Fuzzy Hash: AEF049B5214701BFDB216FA4EC4DF563BADFF89761F100615FA45C6250CA70DC809A60

Function 008E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0324
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0331
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E033E
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E034B
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0358
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0365

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d0eb639eacc3b6e9cc6ccd7a4b0853ed4775a3e0329c436eb195d5a2b1024aef
Instruction ID: 16ce761f81f21aab641b98e12ed4b289200f856ffed21d7ee9d2df926319edcb
Opcode Fuzzy Hash: d0eb639eacc3b6e9cc6ccd7a4b0853ed4775a3e0329c436eb195d5a2b1024aef
Instruction Fuzzy Hash: 09019072800B559FC7309F66D880412F7F5FE512153158E3ED19692A31C3B1A994DE80

Function 008AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008AD752

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008AD764
_free.LIBCMT ref: 008AD776
_free.LIBCMT ref: 008AD788
_free.LIBCMT ref: 008AD79A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bbb71f1ef3fae7c95b4bb6aaacc0d3f623f9aae805be8d4910204aed1f482beb
Instruction ID: 29b8e591837fc92ab23b5b6e7c8898d807278fabd2598c162f634d21f3bc8fb9
Opcode Fuzzy Hash: bbb71f1ef3fae7c95b4bb6aaacc0d3f623f9aae805be8d4910204aed1f482beb
Instruction Fuzzy Hash: 49F04F72518708AFA669EB6CF9C1D1B7BDDFB06710B990805F149E7D11C720FC808B62

Function 008D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008D5C6F
MessageBeep.USER32(00000000), ref: 008D5C87
KillTimer.USER32(?,0000040A), ref: 008D5CA3
EndDialog.USER32(?,00000001), ref: 008D5CBD

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6147f316e4640e8dd8041c33e7d1083fb64e4e9f3256d3a6c1f4bfa1bb002b3d
Instruction ID: e8e27ea2508403fb64bc14a4382d928c1889a5c5e39c450435a45ce0f1898225
Opcode Fuzzy Hash: 6147f316e4640e8dd8041c33e7d1083fb64e4e9f3256d3a6c1f4bfa1bb002b3d
Instruction Fuzzy Hash: B6018170524B04AFEB306B10DD4EFA67BB8FB00B45F04075BA583E11E1DBF5A9849A91

Function 008A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008A22BE

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008A22D0
_free.LIBCMT ref: 008A22E3
_free.LIBCMT ref: 008A22F4
_free.LIBCMT ref: 008A2305

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8748bfb170ae12da3549d6981c169ec72f014776698e763127a4133df8b9d8e4
Instruction ID: 45c6849e1f9c920b2e8f942aca01fbc9015f066e8098b90e0c21cd50f313cac9
Opcode Fuzzy Hash: 8748bfb170ae12da3549d6981c169ec72f014776698e763127a4133df8b9d8e4
Instruction Fuzzy Hash: 26F054B84286108FD772AF6CBC01D093F64F71BB517040556F610D2671C7310551BFE6

Function 008895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008895D4
StrokeAndFillPath.GDI32(?,?,008C71F7,00000000,?,?,?), ref: 008895F0
SelectObject.GDI32(?,00000000), ref: 00889603
DeleteObject.GDI32 ref: 00889616
StrokePath.GDI32(?), ref: 00889631

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 07d8fdb11e2aba111155c020953b51a4c6cc4c45845a747c9546bf939f0edc50
Instruction ID: 942931857c41d023026139f55790a5ea7cfc85e47b9f4d7282ba73e9d01d930e
Opcode Fuzzy Hash: 07d8fdb11e2aba111155c020953b51a4c6cc4c45845a747c9546bf939f0edc50
Instruction Fuzzy Hash: F9F0C97902E208EFDB16AF65ED58B643B65FB12366F088314F469950F0D7308995EF60

Function 008A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008A10F9
__freea.LIBCMT ref: 008A1117

Part of subcall function 008A1537: _free.LIBCMT ref: 008A154F

Strings

a/p, xrefs: 008A11DE
am/pm, xrefs: 008A117A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 716e4bbe41ef2865cba15248b81c9d026569866f6c2a80f0d424cc35d75f1b04
Instruction ID: d7c2dbf397058b9a22b66ab26323e1429df296b14f404f23b51a91c3c1b29212
Opcode Fuzzy Hash: 716e4bbe41ef2865cba15248b81c9d026569866f6c2a80f0d424cc35d75f1b04
Instruction Fuzzy Hash: E5D1DF3190020A9AEF289F68C85DBBAB7B5FF07714F284159E901EBF50D3799D80CB91

Function 008F7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00890242: EnterCriticalSection.KERNEL32(0094070C,00941884,?,?,0088198B,00942518,?,?,?,008712F9,00000000), ref: 0089024D
Part of subcall function 00890242: LeaveCriticalSection.KERNEL32(0094070C,?,0088198B,00942518,?,?,?,008712F9,00000000), ref: 0089028A

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008900A3: __onexit.LIBCMT ref: 008900A9

__Init_thread_footer.LIBCMT ref: 008F7BFB

Part of subcall function 008901F8: EnterCriticalSection.KERNEL32(0094070C,?,?,00888747,00942514), ref: 00890202
Part of subcall function 008901F8: LeaveCriticalSection.KERNEL32(0094070C,?,00888747,00942514), ref: 00890235

Strings

G, xrefs: 008F7C7F
5, xrefs: 008F7C78
Variable must be of type 'Object'., xrefs: 008F7C3A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 3c3fa1e063cb6173f088e9e75f89845e9ab9c0892dcf8f70266d040ebd47d483
Instruction ID: 3c0e246dee8ed31fa60fcc094fed9eac5f043213f497941a2062563a5798f5cb
Opcode Fuzzy Hash: 3c3fa1e063cb6173f088e9e75f89845e9ab9c0892dcf8f70266d040ebd47d483
Instruction Fuzzy Hash: 45916970A04209AFDB14EF68D891DBDB7B1FF49304F508059FA06DB296DB71AE41CB51

Function 008D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D21D0,?,?,00000034,00000800,?,00000034), ref: 008DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008D2760

Part of subcall function 008DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008DB3F8

Part of subcall function 008DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008DB355
Part of subcall function 008DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008D2194,00000034,?,?,00001004,00000000,00000000), ref: 008DB365
Part of subcall function 008DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008D2194,00000034,?,?,00001004,00000000,00000000), ref: 008DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D281A

Strings

@, xrefs: 008D2832

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 364d2a0b6f7822ac02564c349e9678901613bcdb2954a500db66e99be88cc69f
Instruction ID: 5c3694e0c6c06754311cafe68f28d538ee5969846a3781d56851ed36077217c0
Opcode Fuzzy Hash: 364d2a0b6f7822ac02564c349e9678901613bcdb2954a500db66e99be88cc69f
Instruction Fuzzy Hash: 8E413C72900218AFDB10DBA8CD45EEEBBB8FF19300F004196FA55B7281DB716E45DBA1

Function 008A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008A1769
_free.LIBCMT ref: 008A1834
_free.LIBCMT ref: 008A183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008A1760, 008A1767, 008A1796, 008A17CE

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 2e1627b1ac9bd971410a9d8cbe36a9c0fb0825e6cfc786a3b3f4c76b02acb878
Instruction ID: 77b94ff51ca9ab8481dcb357d4a7bff6e02beaee8f88cc2de39b4c14dfe80af5
Opcode Fuzzy Hash: 2e1627b1ac9bd971410a9d8cbe36a9c0fb0825e6cfc786a3b3f4c76b02acb878
Instruction Fuzzy Hash: F8318D75A04218AFEF21DB999889D9EBBFCFB86310F144166F904D7611D6B08E80DB91

Function 008DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00941990,012D5D58), ref: 008DC395

Strings

0, xrefs: 008DC2DF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 99d77a08d15807ba260edadd5672e7efb2e654376e5850a13064fd3b5e0a3bc6
Instruction ID: 0b9f47f8b5abf4ed5459895beca52084bad889ce89e30f0a8277126f65100ebd
Opcode Fuzzy Hash: 99d77a08d15807ba260edadd5672e7efb2e654376e5850a13064fd3b5e0a3bc6
Instruction Fuzzy Hash: 5B416C712083429FDB28DF29D884B5ABBA4FB85324F14871EF9A5D73D1D770A904CB62

Function 00904416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0090CC08,00000000,?,?,?,?), ref: 009044AA
GetWindowLongW.USER32 ref: 009044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009044D7

Strings

SysTreeView32, xrefs: 0090447C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 00b8d1ab016c203feb875c5c53acf85924496a1c5aa7bee7b747e48e277d487e
Instruction ID: 761cce1fb724c2fd15ddf553d56e2a2abbf46b089aaeef1188967239a647bc3e
Opcode Fuzzy Hash: 00b8d1ab016c203feb875c5c53acf85924496a1c5aa7bee7b747e48e277d487e
Instruction Fuzzy Hash: B8318DB1214605AFDB209F38DC45BEA77A9EB49334F204715FA79D21E1D770EC509B50

Function 008F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,008F3077,?,?), ref: 008F3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 008F307A
_wcslen.LIBCMT ref: 008F309B
htons.WSOCK32(00000000,?,?,00000000), ref: 008F3106

Strings

255.255.255.255, xrefs: 008F3095, 008F309A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d7fe06ce0bff6245fd584995037be351edf1a5042181c093c979d2f76bd2f9d3
Instruction ID: 3f8ff4216496782ad5b8886329ac2d4696cb47fed0f5521c1c983e8f3a06bc7c
Opcode Fuzzy Hash: d7fe06ce0bff6245fd584995037be351edf1a5042181c093c979d2f76bd2f9d3
Instruction Fuzzy Hash: 0A31AE356042099FCB20DF38C485ABA77A4FF54318F24805AEA15CB392DB72EE85CB61

Function 00904653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00904705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00904713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0090471A

Strings

msctls_updown32, xrefs: 00904684

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 41bd48414ee16630d42fcaf263402e1478b5382364199b01eb1898af90546fd8
Instruction ID: ce12dec462890360322d5572218e2b6808ed37e161fb3f4a6b2b838f7a8f7352
Opcode Fuzzy Hash: 41bd48414ee16630d42fcaf263402e1478b5382364199b01eb1898af90546fd8
Instruction Fuzzy Hash: 0A2160F5604209AFDB10DF68DCD1DA737ADEF9A3A4B040459FA00DB2A1DB71EC51DA60

Function 008D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D961D

Strings

#requireadmin, xrefs: 008D95D9
#notrayicon, xrefs: 008D95B7
#OnAutoItStartRegister, xrefs: 008D95F3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 5bd1762d2924b702ed0630e0aefa777de5fcd1dbbf262ca2a2faf03c0d390772
Instruction ID: c15d3ce391d14654d1bb4522892fb3f0a4cbfa91bde0d76434f9307f7a63f203
Opcode Fuzzy Hash: 5bd1762d2924b702ed0630e0aefa777de5fcd1dbbf262ca2a2faf03c0d390772
Instruction Fuzzy Hash: 83213832204111A6C731BA28AC12FBB73A8FFA1314F144137F98AD7285EB55ED91C396

Function 009037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00903840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00903850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00903876

Strings

Listbox, xrefs: 0090380F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 11b4f10e3a97e2f3317a8af59969f9c574073b8413e909ee67819f04d0e2221d
Instruction ID: 73b154e726430067aed2c781e07f284a28499665f1844937a2add8eab783211b
Opcode Fuzzy Hash: 11b4f10e3a97e2f3317a8af59969f9c574073b8413e909ee67819f04d0e2221d
Instruction Fuzzy Hash: F6217C72614218AFEB218F64CC85EAB376EEF89754F10C124F9449B190CA71DC528BA0

Function 008E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0090CC08), ref: 008E4AD0

Strings

%lu, xrefs: 008E4A6F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 73679fbd4375c22d6a9f26797184b006dae90439effe137f7c543c787d5a5ca3
Instruction ID: 1bd2a66d91f8889eb67517c0d776b707e1d11dadb606fe7abb376922612b2333
Opcode Fuzzy Hash: 73679fbd4375c22d6a9f26797184b006dae90439effe137f7c543c787d5a5ca3
Instruction Fuzzy Hash: 7F315E71A00118AFDB10DF58C885EAA7BF8FF49318F1480A5E909DB252D771ED45CB62

Function 009041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0090424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00904264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00904271

Strings

msctls_trackbar32, xrefs: 00904226

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 15bba39933df04a678caea8925ae7c7ad0d2d3bf47dbf6caf216befad93a79d1
Instruction ID: fa82bfd88afc50a192e8411306095604a7b255bf9070fa88896e29da57b1945d
Opcode Fuzzy Hash: 15bba39933df04a678caea8925ae7c7ad0d2d3bf47dbf6caf216befad93a79d1
Instruction Fuzzy Hash: D0110671344208BEEF205F68CC06FAB3BACEF95B54F010514FA55E20E0D671DC619B10

Function 008D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Part of subcall function 008D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008D2DC5
Part of subcall function 008D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D2DD6
Part of subcall function 008D2DA7: GetCurrentThreadId.KERNEL32 ref: 008D2DDD
Part of subcall function 008D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008D2DE4

GetFocus.USER32 ref: 008D2F78

Part of subcall function 008D2DEE: GetParent.USER32(00000000), ref: 008D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008D2FC3
EnumChildWindows.USER32(?,008D303B), ref: 008D2FEB

Strings

%s%d, xrefs: 008D2FFF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1f952a23189ff1612106c92128c88bdf60bd77340eed8196a8733512043f7ac8
Instruction ID: c804257285ef4bef0caba932f8fa9ecedb38ccbf8d71ceb9580704082e248080
Opcode Fuzzy Hash: 1f952a23189ff1612106c92128c88bdf60bd77340eed8196a8733512043f7ac8
Instruction Fuzzy Hash: D711E7712002096BCF10BF748C85EED376AFF94318F048176F909EB292DE319E498B62

Function 00905882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009058EE
DrawMenuBar.USER32(?), ref: 009058FD

Strings

0, xrefs: 0090588F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b55b19dcfe58a19391ad5a36714c0616ab1e04ad7f91a7fbc3d576f605015534
Instruction ID: 9d8ed282755de70090512742372b13b70bef5d4d83b95ae9c563d368eece90be
Opcode Fuzzy Hash: b55b19dcfe58a19391ad5a36714c0616ab1e04ad7f91a7fbc3d576f605015534
Instruction Fuzzy Hash: 7B01CC31504208EFDB209F11DC44BAFBBB8FF45361F0080A9F848DA1A2DB308A90EF21

Function 008D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f623563c765145a8fed0678f93fcd52fe093a7fc500ff33fffa241233699583
Instruction ID: 8e48b980c4928fefa4e012882dbe60b82843236cefd951b64739797f2e2d66ff
Opcode Fuzzy Hash: 4f623563c765145a8fed0678f93fcd52fe093a7fc500ff33fffa241233699583
Instruction Fuzzy Hash: 78C13875A0020AAFDB14DFA8C894BAEB7B5FF48704F208699E505EB351D731EE41CB90

Function 008A3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008A3F0B
__alldvrm.LIBCMT ref: 008A410C
__alldvrm.LIBCMT ref: 008A412E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1890be23fda00b4ada303aa0a5f11a80cf7bffa21a93f634c88fb73c09f78a28
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 40A14571E107869FFF21CE18C8917AABBE4FFA3350F18416DE585DB682C6B88981C751

Function 008F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008F3459
CoUninitialize.OLE32 ref: 008F3463
VariantInit.OLEAUT32(?), ref: 008F346E
VariantClear.OLEAUT32(?), ref: 008F371B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d753ea5d8395da41184146556a55c5372a9adef3943dbd8b8e0e684547ff089a
Instruction ID: 3a10f7460faebc6e661040194f18b7e4be64b11a012fc40fe0e91d6d93579491
Opcode Fuzzy Hash: d753ea5d8395da41184146556a55c5372a9adef3943dbd8b8e0e684547ff089a
Instruction Fuzzy Hash: 88A13B756042049FCB10EF28C485A2AB7E5FF89714F148959FA8ADB366DB30EE41CB52

Function 008D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0090FC08,?), ref: 008D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0090FC08,?), ref: 008D0608
CLSIDFromProgID.OLE32(?,?,00000000,0090CC40,000000FF,?,00000000,00000800,00000000,?,0090FC08,?), ref: 008D062D
_memcmp.LIBVCRUNTIME ref: 008D064E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 51c39fc31eb5f48139132150a68feb1f41030bc8af52e41a7aea334faec4dc2c
Instruction ID: 583ff575123f2082f131e7d7debae0002f159b653a33a9a0d7dd824e27830e12
Opcode Fuzzy Hash: 51c39fc31eb5f48139132150a68feb1f41030bc8af52e41a7aea334faec4dc2c
Instruction Fuzzy Hash: 9681E671A00209AFCB04DF94C984EEEB7B9FF89315F204599E506EB250DB71AE06CF61

Function 008FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 008FA6BA

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Process32NextW.KERNEL32(00000000,?), ref: 008FA79C
CloseHandle.KERNEL32(00000000), ref: 008FA7AB

Part of subcall function 0088CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008B3303,?), ref: 0088CE8A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a9d1e9be28dca5ca7163bdbfa919ac39a0b45ccc6bd13be0af7d06a47e6b8000
Instruction ID: 03b318c2a0c3329e6d992863c85e0fb491820def8feec44acd78b58722de2ac9
Opcode Fuzzy Hash: a9d1e9be28dca5ca7163bdbfa919ac39a0b45ccc6bd13be0af7d06a47e6b8000
Instruction Fuzzy Hash: D3510AB15083049FD714EF28C886A6BBBE8FF89754F00892DF599D7252EB70D905CB92

Function 008B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008B14C0

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 46bde339a6c2a5febc51d81821f9115db9d6b724344b775f4ecd94699a410e3f
Instruction ID: f17e041e64c7fb571aafce698403f59beb269cfed157c641b88232b3a64612c3
Opcode Fuzzy Hash: 46bde339a6c2a5febc51d81821f9115db9d6b724344b775f4ecd94699a410e3f
Instruction Fuzzy Hash: F6417B31600105ABEF257BFC8C5ABEE3AA6FF46370F684225F518DA392EA7448415267

Function 00906278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009062E2
ScreenToClient.USER32(?,?), ref: 00906315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00906382

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9b82a3ff2c1492956d4207723f873ef544b50103114fd9cadf99ba13b1a458b6
Instruction ID: e8864f3d0f237c0b2329ec3956aedd953d44028613446e118fcb700446cdd489
Opcode Fuzzy Hash: 9b82a3ff2c1492956d4207723f873ef544b50103114fd9cadf99ba13b1a458b6
Instruction Fuzzy Hash: 3D510B74900209EFDB24DF58D881AAE7BB9FB45360F108269F865972E0D730ED91DB90

Function 008F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008F1AFD
WSAGetLastError.WSOCK32 ref: 008F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008F1B8A
WSAGetLastError.WSOCK32 ref: 008F1B94

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3ea6b48d4937f6b84da0c0b08b40a72654d0e3a6e5bdec21d8ab9a0a78a4ccd0
Instruction ID: 0e0f3672e8ded3fd0d03d83a670e83154968420a634eaeccbcd9d7f94b369fef
Opcode Fuzzy Hash: 3ea6b48d4937f6b84da0c0b08b40a72654d0e3a6e5bdec21d8ab9a0a78a4ccd0
Instruction Fuzzy Hash: 2D416D74640204AFEB20AF28C88AF2977A5FB44718F54C558FA1ADF393E672DD418B91

Function 008AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f92c3ceafb853ce0ef78a0c37a34fafe38c6f9e86a0876b011edc014d3c351
Instruction ID: b87084ac4ec94ec516bd0a6fe3ffd1b52844e21d299a5f1764365c5f610d55d7
Opcode Fuzzy Hash: 41f92c3ceafb853ce0ef78a0c37a34fafe38c6f9e86a0876b011edc014d3c351
Instruction Fuzzy Hash: 2B410671A00708AFE724AF7CCC41BAABBE9FB89710F10452EF541DBA83D771A9018781

Function 008E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008E5783
GetLastError.KERNEL32(?,00000000), ref: 008E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008E57FA

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7bafdb0957d4873067c6c365beedba4686ebfc37e332f67365e67cd657486210
Instruction ID: 04c5226e7384647efaf0374b27550396e1b2eb71f105d20552537155f4a00b8e
Opcode Fuzzy Hash: 7bafdb0957d4873067c6c365beedba4686ebfc37e332f67365e67cd657486210
Instruction Fuzzy Hash: C1412F35600610DFCB11EF19C544A5EBBE2FF89724B19C498E85A9B366CB34FD40DB92

Function 008AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00896D71,00000000,00000000,008982D9,?,008982D9,?,00000001,00896D71,8BE85006,00000001,008982D9,008982D9), ref: 008AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008AD9AB
__freea.LIBCMT ref: 008AD9B4

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 09d2a4697e812292e343647b685bc465f5bb07474c5432f907bb8a0c546f560c
Instruction ID: 47471174428dc29b86c52982b2af7cc77ed1a3ced6c6a114955b53e5b4951430
Opcode Fuzzy Hash: 09d2a4697e812292e343647b685bc465f5bb07474c5432f907bb8a0c546f560c
Instruction Fuzzy Hash: AE31CE72A0020AAFEF249F68DC45EAF7BA5FB42310B090268FC05DA650EB35CD55CB90

Function 009052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00905352
GetWindowLongW.USER32(?,000000F0), ref: 00905375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00905382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009053A8

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: bb66a15d1720703f10f415dff2f32116278e2865c35ad115b170733a0a82c379
Instruction ID: cbae690af0fed231b4abdc289ac9f4f8978b51f499c47fd1f8245ddede87144c
Opcode Fuzzy Hash: bb66a15d1720703f10f415dff2f32116278e2865c35ad115b170733a0a82c379
Instruction Fuzzy Hash: 3531C374A59A08EFEB349F14CC06FEA77A9EB053D0F594501FA10961E1C7B5AD80EF42

Function 008DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 008DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008DAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 008DACC6

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4df55491bf73654bfabe200acbdd5adcc4586bc28a356f816894ce05a4509fec
Instruction ID: c1cdd3c461fdf72476a6a072d48f7b1300be1dc0f5903259a87b11cb17ed3a79
Opcode Fuzzy Hash: 4df55491bf73654bfabe200acbdd5adcc4586bc28a356f816894ce05a4509fec
Instruction Fuzzy Hash: 4B31F470A64618AFEB398B65CC047FA7BA5FB89330F28431BE485D23D1C37589859753

Function 00907674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0090769A
GetWindowRect.USER32(?,?), ref: 00907710
PtInRect.USER32(?,?,00908B89), ref: 00907720
MessageBeep.USER32(00000000), ref: 0090778C

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 44245a22d44858712436497e100a37157727c52d9408648b9171c03439d70a24
Instruction ID: 5ee1b9ee9ed360ca0e6adca4065a7da338bdf7959ba23ebd7f9362a3a11e8362
Opcode Fuzzy Hash: 44245a22d44858712436497e100a37157727c52d9408648b9171c03439d70a24
Instruction Fuzzy Hash: F541AF39A09215DFCB15CF98D894EA9B7F5FB49360F1441A8E414DB2A1C371B981DF90

Function 009016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009016EB

Part of subcall function 008D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D3A57
Part of subcall function 008D3A3D: GetCurrentThreadId.KERNEL32 ref: 008D3A5E
Part of subcall function 008D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008D25B3), ref: 008D3A65

GetCaretPos.USER32(?), ref: 009016FF
ClientToScreen.USER32(00000000,?), ref: 0090174C
GetForegroundWindow.USER32 ref: 00901752

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f9a41e9bb7ce712d31ba4d1f329d9a6bbe6d1ec782ad412a3a8963fac1b59ef2
Instruction ID: 2f3fa609528da9d90ed4c90e2b6e15956ec6b8e51081464197db623ed97bf047
Opcode Fuzzy Hash: f9a41e9bb7ce712d31ba4d1f329d9a6bbe6d1ec782ad412a3a8963fac1b59ef2
Instruction Fuzzy Hash: 04311D75D00549AFC704EFA9C881CAEBBF9FF49304B5480AAE415E7251EB31DE45CBA1

Function 00908FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

GetCursorPos.USER32(?), ref: 00909001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008C7711,?,?,?,?,?), ref: 00909016
GetCursorPos.USER32(?), ref: 0090905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008C7711,?,?,?), ref: 00909094

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ba21d8ba84eb99b686429348f5795afa02c17e91bf9be0c0c6e72891ef4ccc30
Instruction ID: 1ff2f7ca1b29c48791c0b32868c76bf2b85d619d326160caa591fd3911cbd444
Opcode Fuzzy Hash: ba21d8ba84eb99b686429348f5795afa02c17e91bf9be0c0c6e72891ef4ccc30
Instruction Fuzzy Hash: EA21A136611018EFDB258F94DC58EFB7BB9FF4A360F044155F945872A2C3319990EB60

Function 008DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0090CB68), ref: 008DD2FB
GetLastError.KERNEL32 ref: 008DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0090CB68), ref: 008DD376

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 50b1869bede77c71e718fd531b38a10a7f450f678d3e084b17b8a5cc2dc65031
Instruction ID: 3ca9531f21be58113d7d9d217c50f51ffc4f58b317381860c9459ee0f654366c
Opcode Fuzzy Hash: 50b1869bede77c71e718fd531b38a10a7f450f678d3e084b17b8a5cc2dc65031
Instruction Fuzzy Hash: 78212C705093019FC714DF28C88186A77E4FE56768F508B1AF499C73A1E731D946DB93

Function 008D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D102A
Part of subcall function 008D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D1036
Part of subcall function 008D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1045
Part of subcall function 008D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D104C
Part of subcall function 008D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008D15BE
_memcmp.LIBVCRUNTIME ref: 008D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D1617
HeapFree.KERNEL32(00000000), ref: 008D161E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: dadfab4f8760eabbd4e40fa46fa827deb56121b2da6e7980f98d96d0ee483c32
Instruction ID: c46073d6ea24c0d20f045cd681c87d1637e08cc618f6be8c97b561c544ce8ada
Opcode Fuzzy Hash: dadfab4f8760eabbd4e40fa46fa827deb56121b2da6e7980f98d96d0ee483c32
Instruction Fuzzy Hash: FE215571E00109AFDF00DFA4D949BEEB7B8FF54344F08465AE441EB241E734AA45DBA0

Function 00902782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0090280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00902824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00902832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00902840

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0e013583a9800f07fbd477a63d1cabe0a3cacae9e3c991bccab3c53c8367cd2e
Instruction ID: a00bd008258371af598e35c890d22e279528c226f5a404631c88c960721fd65d
Opcode Fuzzy Hash: 0e013583a9800f07fbd477a63d1cabe0a3cacae9e3c991bccab3c53c8367cd2e
Instruction Fuzzy Hash: 3421B635208511AFD7149B24CC49F6A7799EF86324F248258F816CB6D2CB75FC42C791

Function 008D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008D790A,?,000000FF,?,008D8754,00000000,?,0000001C,?,?), ref: 008D8D8C
Part of subcall function 008D8D7D: lstrcpyW.KERNEL32(00000000,?,?,008D790A,?,000000FF,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D8DB2
Part of subcall function 008D8D7D: lstrcmpiW.KERNEL32(00000000,?,008D790A,?,000000FF,?,008D8754,00000000,?,0000001C,?,?), ref: 008D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D7923
lstrcpyW.KERNEL32(00000000,?,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D7984

Strings

cdecl, xrefs: 008D797B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 169d234b5aff3a779ebbf12d63e581d3dceaf329ade1f4d32d1b817da4daa0e9
Instruction ID: 9581619fdfe90c8254fd379d2919248cbbb6916a2e446d4f83abfde21cf4350c
Opcode Fuzzy Hash: 169d234b5aff3a779ebbf12d63e581d3dceaf329ade1f4d32d1b817da4daa0e9
Instruction Fuzzy Hash: 9211E43A204201BFCB155F39C855D7A77A5FF85350B00412BF902CB3A4FB359811D761

Function 00907CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00907D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00907D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00907D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008EB7AD,00000000), ref: 00907D6B

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4c46ac3d7a9fb601efafd707d03e87d4170fcad3f09d6155fd44dfc5971bfcbe
Instruction ID: 2c19d35af1d550384f1b0a49e39142d45cce00656a9f34c43c29ed7b0d9a43c2
Opcode Fuzzy Hash: 4c46ac3d7a9fb601efafd707d03e87d4170fcad3f09d6155fd44dfc5971bfcbe
Instruction Fuzzy Hash: C511D235A19625AFCB109F68DC04E667BA9AF46370B154724F835C72F0E730E990DB50

Function 00905660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009056BB
_wcslen.LIBCMT ref: 009056CD
_wcslen.LIBCMT ref: 009056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00905816

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ccb1396d955a644f3d19bc4150f4476720fc2ae8cd0a8cbf9f576820fd3235c3
Instruction ID: 20ec4ae7edbc48556b3d10ff18331620e77075390eb5241a7c91528856aad743
Opcode Fuzzy Hash: ccb1396d955a644f3d19bc4150f4476720fc2ae8cd0a8cbf9f576820fd3235c3
Instruction Fuzzy Hash: 5111DC75A00608AEDF209BA5CC85EEF7BACEF00360B504426F915D60D1EBB48A80CF60

Function 008A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dc234dc1de178baf8d02ede78bef81e070afc6f650b193e90c9d93eedca807
Instruction ID: f3232c7b47ac415434b9fd4d16a879ae35c0c81b4c0913355973f74fa4427eaa
Opcode Fuzzy Hash: 52dc234dc1de178baf8d02ede78bef81e070afc6f650b193e90c9d93eedca807
Instruction Fuzzy Hash: 93016DB260961A7EFA61267C6CC5F67661DFF837B8F340329F621E19D2DB708C005161

Function 008D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D1A8A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5dcc9b6afedc5e3c71d9944bbcb4094abdfa7c092d005082138479a3438b8404
Instruction ID: 7361664f1844f80406830c98c3d4fcfabdb7f3302f94880595f0fa6ce5f221ff
Opcode Fuzzy Hash: 5dcc9b6afedc5e3c71d9944bbcb4094abdfa7c092d005082138479a3438b8404
Instruction Fuzzy Hash: 1211273A901229FFEF109BA4C985FADBB78FF08750F200192EA00B7290D7716E50DB94

Function 008DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008DE24D

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4f570dee2fd1cc2eaf606955d2a51511c6ef8a1ef13676eb7cde5c594e37ba4e
Instruction ID: 64172da56268488cd9f68dfe7456a13a9f84e239659fc2d628da29be89adb621
Opcode Fuzzy Hash: 4f570dee2fd1cc2eaf606955d2a51511c6ef8a1ef13676eb7cde5c594e37ba4e
Instruction Fuzzy Hash: 6A11DBB6928258BFC701AFA89C05E9F7FACEB45710F14435AF924E7391D670DD0497A0

Function 0089D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0089CFF9,00000000,00000004,00000000), ref: 0089D218
GetLastError.KERNEL32 ref: 0089D224
__dosmaperr.LIBCMT ref: 0089D22B
ResumeThread.KERNEL32(00000000), ref: 0089D249

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 393c269da10c409e4743244918a47c1945ab4d8d8968f3e8bf65f350bb444821
Instruction ID: ac22ae99696c1bf5b25a848f0e6a91d527c002a557dd1a132e630eb381e4ff3a
Opcode Fuzzy Hash: 393c269da10c409e4743244918a47c1945ab4d8d8968f3e8bf65f350bb444821
Instruction Fuzzy Hash: 96012272818308BBCF207BE9DC09BAA7A68FF81730F280319F924D21D0CB71D900D6A1

Function 0087600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0087604C
GetStockObject.GDI32(00000011), ref: 00876060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0087606A

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 86173c418b12edabe188598d093c3452aae189a6b19083186f487dec6de478eb
Instruction ID: 5b62158fafb7d7112e778b7287309a9aee661e2e8aeba4e656690b383a5fd128
Opcode Fuzzy Hash: 86173c418b12edabe188598d093c3452aae189a6b19083186f487dec6de478eb
Instruction Fuzzy Hash: 971161B2505909BFEF124F94DC44EEA7B69FF19364F044215FA18A2164D732DC60EF90

Function 00893B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00893B56

Part of subcall function 00893AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00893AD2
Part of subcall function 00893AA3: ___AdjustPointer.LIBCMT ref: 00893AED

_UnwindNestedFrames.LIBCMT ref: 00893B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00893B7C
CallCatchBlock.LIBVCRUNTIME ref: 00893BA4

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: eae911b073ff1dcc07653fb5402e2fe1e762f26e5d4d4c4c30a5f2c9bfc27b8d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1D01ED32100149BBDF116E99CC46DEB7B69FF58764F084014FE48A6121C732D961DBA1

Function 008A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008713C6,00000000,00000000,?,008A301A,008713C6,00000000,00000000,00000000,?,008A328B,00000006,FlsSetValue), ref: 008A30A5
GetLastError.KERNEL32(?,008A301A,008713C6,00000000,00000000,00000000,?,008A328B,00000006,FlsSetValue,00912290,FlsSetValue,00000000,00000364,?,008A2E46), ref: 008A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008A301A,008713C6,00000000,00000000,00000000,?,008A328B,00000006,FlsSetValue,00912290,FlsSetValue,00000000), ref: 008A30BF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a8373b140d39659fddb42aaa11b1b355912052150475609daa6719843c8ccca2
Instruction ID: a5a65688000d52cffad99e6bceaee9422c469d7b3432f90e53e2694a7bc494d8
Opcode Fuzzy Hash: a8373b140d39659fddb42aaa11b1b355912052150475609daa6719843c8ccca2
Instruction Fuzzy Hash: 93012B72329A26AFEB314B799C449577B98FF47BA1B200720FA15E3580D721D901C6E0

Function 008D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008D74CA

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ab0217f9504994d9bc8c62e36b9f78e90be6986c87a6b4cd99986afdddde83cf
Instruction ID: 3824a992c35879cb461d4d43e2c526bd8ee11435fea9c1d952bf2468fe1b09fe
Opcode Fuzzy Hash: ab0217f9504994d9bc8c62e36b9f78e90be6986c87a6b4cd99986afdddde83cf
Instruction Fuzzy Hash: 4211C4B12093159FE7218F14DC08F92BFFDFB00B04F10866AE616D6291E770E944EB54

Function 008DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB126

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c526da6ba29dbd82d13955ac8d5a01717951f7966b36fb049e0ad94f0e54d989
Instruction ID: ac3288b1fa728ca6410f398740b870b63c30e43f5370e23dcb0a77640397fe65
Opcode Fuzzy Hash: c526da6ba29dbd82d13955ac8d5a01717951f7966b36fb049e0ad94f0e54d989
Instruction Fuzzy Hash: DD116171C0561DDBCF00AFE4D9596EEBB78FF09711F124286D941F2241DB3059509B91

Function 008D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008D2DD6
GetCurrentThreadId.KERNEL32 ref: 008D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008D2DE4

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 55b2b9ef52d519e58adc220e451b98d8dd0e82da34eeb15f1d5116c37d4b5ebd
Instruction ID: 97ac82998d7156cffad0135553700d712af2f74e9d3af452d93d61d677104b2a
Opcode Fuzzy Hash: 55b2b9ef52d519e58adc220e451b98d8dd0e82da34eeb15f1d5116c37d4b5ebd
Instruction Fuzzy Hash: CAE06DB21192287AD7201B629C0DEEB3F6DFB56BA1F000316B105D11809AA18880D6B0

Function 00908863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00889639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00889693
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896A2
Part of subcall function 00889639: BeginPath.GDI32(?), ref: 008896B9
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00908887
LineTo.GDI32(?,?,?), ref: 00908894
EndPath.GDI32(?), ref: 009088A4
StrokePath.GDI32(?), ref: 009088B2

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6a948177a6b79092061ff7f84921b221d746e126dc9ecbcfa666e9a7a7f68cf7
Instruction ID: 11e2f9a638668f1d3a095f3c28bf7aa6df00e2011647d69a6b6d888bf500621b
Opcode Fuzzy Hash: 6a948177a6b79092061ff7f84921b221d746e126dc9ecbcfa666e9a7a7f68cf7
Instruction Fuzzy Hash: 3BF03A36159259FAEB126F94AC09FCA3E69AF06310F048100FA11650E1C7755551EBE5

Function 008898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008898CC
SetTextColor.GDI32(?,?), ref: 008898D6
SetBkMode.GDI32(?,00000001), ref: 008898E9
GetStockObject.GDI32(00000005), ref: 008898F1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f97f1c75099ddd8e87af30e55590db6df2f373410ef7a3f00c162e9ce318517c
Instruction ID: 204dcae7bfd8f40267977153f42c2911ec3e6c2ee033a3c0587819d4307ff76d
Opcode Fuzzy Hash: f97f1c75099ddd8e87af30e55590db6df2f373410ef7a3f00c162e9ce318517c
Instruction Fuzzy Hash: 2DE06D7125C280AEDB215B74AC09BE83F20FB12336F048319FAFA980E1C3718650AF10

Function 008D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008D11D9), ref: 008D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008D11D9), ref: 008D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008D11D9), ref: 008D164F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5e34647a52042f04976b7afdca5e87396326f74e94cff04cbf2335bf175af823
Instruction ID: 07dfb73e8fbd8c95e93e7b3911a097d02702a2df6128b4182b9a258b5f80b09e
Opcode Fuzzy Hash: 5e34647a52042f04976b7afdca5e87396326f74e94cff04cbf2335bf175af823
Instruction Fuzzy Hash: B1E08CB261A211EFEB201FA0AE0DB863B7CFF54B92F148A09F245D9080E6348440EB60

Function 008CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008CD858
GetDC.USER32(00000000), ref: 008CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008CD882
ReleaseDC.USER32(?), ref: 008CD8A3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b67e15ebc022ae3d22247a7fc9800907652f7b5abee7cd8ab6d396aa6c5a5ab4
Instruction ID: a8a3724305b6cb46346354152c3c00723929cf3fb52bb206c208e337816ce67d
Opcode Fuzzy Hash: b67e15ebc022ae3d22247a7fc9800907652f7b5abee7cd8ab6d396aa6c5a5ab4
Instruction Fuzzy Hash: 13E01AB0814209DFCF51AFA0D80CA6DBBB1FB08310F108519F846E7250CB399901BF50

Function 008CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008CD86C
GetDC.USER32(00000000), ref: 008CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008CD882
ReleaseDC.USER32(?), ref: 008CD8A3

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d4860634b4d5a9ba4e581047ec89e24cb1cf4e96cabb7b0cd2c08c90f52ef9f4
Instruction ID: 34809a0f4d7a7edd407b14a20cd14b2c652993b389f03830a8371a932cb863e3
Opcode Fuzzy Hash: d4860634b4d5a9ba4e581047ec89e24cb1cf4e96cabb7b0cd2c08c90f52ef9f4
Instruction Fuzzy Hash: D8E092B5818209EFCF61AFA4D80C66DBBB5FB08311F149549E94AE7290CB799901BF50

Function 008E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008E4ED4

Strings

*, xrefs: 008E4E10
LPT, xrefs: 008E4DFB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 561f9db6dd44e682c91d88a7744dd495ea5e2f86f7ff49864d78cc1dcc2fb42d
Instruction ID: 9b3b7144724a86e3260f4a8721b20d73af72d2c672fe8a88bf82fb5cc75dfbf8
Opcode Fuzzy Hash: 561f9db6dd44e682c91d88a7744dd495ea5e2f86f7ff49864d78cc1dcc2fb42d
Instruction Fuzzy Hash: A5916D75A042449FCB14DF59C484EAABBF1FF45718F189099E80A9F3A2CB31ED85CB91

Function 0089E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0089E30D

Strings

pow, xrefs: 0089E2E5, 0089E302

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2682aef0f798637b6cbb4db4de30c7d7c07f7e20f8f2d42653d57a972dc1467b
Instruction ID: da54123e9fb7fc0a74426fedeeca17ca2a72a2dd488fab87c338080179061da6
Opcode Fuzzy Hash: 2682aef0f798637b6cbb4db4de30c7d7c07f7e20f8f2d42653d57a972dc1467b
Instruction Fuzzy Hash: A8513B61A1C20696EF15B718CD413B92FA4FB41B40F388D68F095C27EDEB358CA1BA46

Function 0088E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0088E1B1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f4c6ccf8b185ba30568a25b9a4318cbe5769f94269ac77d9b27eddbbbd1d9549
Instruction ID: a351477fd70cb5a76ed6ccf605df652bc7b206a8f2ee0fbd7a9da2bfb6607d0a
Opcode Fuzzy Hash: f4c6ccf8b185ba30568a25b9a4318cbe5769f94269ac77d9b27eddbbbd1d9549
Instruction Fuzzy Hash: 2451FF7550424ADFDB25EF28C481ABA7BB8FF25310F248059F891DB290D734DD52CBA1

Function 0088F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0088F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0088F2BB

Strings

@, xrefs: 0088F2AF

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 82b46ebfda105f9531c821a3a32a0205398782ba3ec1646ab628dd832b45220c
Instruction ID: 3e63de8d41f2cda380b92585463029fbbc21e99274df148616a0c45be424329c
Opcode Fuzzy Hash: 82b46ebfda105f9531c821a3a32a0205398782ba3ec1646ab628dd832b45220c
Instruction Fuzzy Hash: 035126714187449BD320AF14DC86BAFBBF8FB95304F81885DF299811A9EF708529CB67

Function 008F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008F57E0
_wcslen.LIBCMT ref: 008F57EC

Strings

CALLARGARRAY, xrefs: 008F57E6, 008F57EB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 1138c329002a01e46650afcb9b0aefa2b07ce867cbfdf0b52c120718c96db09c
Instruction ID: c10d173ed8316420695dba7c60324b0a601e3237fd3d4c807880e426b5b7dbff
Opcode Fuzzy Hash: 1138c329002a01e46650afcb9b0aefa2b07ce867cbfdf0b52c120718c96db09c
Instruction Fuzzy Hash: B0419F71A102099FCB14EFB8C8828BEBBB5FF59764F144129E605E7291E7349D81CB91

Function 008ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008ED13A

Strings

|, xrefs: 008ED10B

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e6167d6a37695d98bd78ff98919332a09c65960bb2241781f368210d3f451e0b
Instruction ID: 51f2ee2ba03609557016c27595dd18ceb54512f8c6f08d4397259bf5e9384f3d
Opcode Fuzzy Hash: e6167d6a37695d98bd78ff98919332a09c65960bb2241781f368210d3f451e0b
Instruction Fuzzy Hash: AF311971D00219ABCF15EFA9CC85AEEBFB9FF15300F104019F819E6166E731AA16DB61

Function 0090356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00903621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0090365C

Strings

static, xrefs: 009035BC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a92ec66c270d3387c8c519048560959d678115b57008ca8345fd73d6369b0644
Instruction ID: 6cfb85380ea1ea61397c9ac13d8321b0d2cee6ea4f1320913f27654131799a98
Opcode Fuzzy Hash: a92ec66c270d3387c8c519048560959d678115b57008ca8345fd73d6369b0644
Instruction Fuzzy Hash: BA316B71110604AEDB209F68DC81EBB73ADFF88724F10D619F9A9D7290DA31AD91DB60

Function 00904537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0090461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00904634

Strings

', xrefs: 0090458E

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 53d47863e301e28c70e1c99b205f619faaaff50a44825b893cdb4e1f00bdfa4c
Instruction ID: 5e07dba63befe1ae4e7fcdb518d72d2b41748c2e84404481c1af4d20e3c9df70
Opcode Fuzzy Hash: 53d47863e301e28c70e1c99b205f619faaaff50a44825b893cdb4e1f00bdfa4c
Instruction Fuzzy Hash: 2E313AB4A013099FDF14CFA9C980BDA7BB9FF49300F104069EA04AB381E771A941CF90

Function 009031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0090327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00903287

Strings

Combobox, xrefs: 00903249

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 365c92bc82eb2d4bd7888f283cacac8ce12624d12b0eba142231185ba19f4d8a
Instruction ID: 572857d6eb36700203b86209546e8b21a9079f270a55aaf71c8272656c0712fd
Opcode Fuzzy Hash: 365c92bc82eb2d4bd7888f283cacac8ce12624d12b0eba142231185ba19f4d8a
Instruction Fuzzy Hash: 2311B2713042087FEF219F98DC81EBB37AEEB94364F108225F928972D0D6319D519760

Function 00903710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0087600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0087604C
Part of subcall function 0087600E: GetStockObject.GDI32(00000011), ref: 00876060
Part of subcall function 0087600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0087606A

GetWindowRect.USER32(00000000,?), ref: 0090377A
GetSysColor.USER32(00000012), ref: 00903794

Strings

static, xrefs: 00903757

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9510b85bf27517264cbc49b4cd1e6a2db69564fe73e77d098deb1986c4a2f2bf
Instruction ID: f11af5aa132ce839a19ca40f95549551e30ec25c6e1472d3c77336d3b28dbb2c
Opcode Fuzzy Hash: 9510b85bf27517264cbc49b4cd1e6a2db69564fe73e77d098deb1986c4a2f2bf
Instruction Fuzzy Hash: C41129B2610209AFDB00DFA8CC45EEA7BF8FB08314F004A15F955E2290E735E8619B50

Function 008ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008ECDA6

Strings

<local>, xrefs: 008ECD66

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c15e912a4ece3bdbf6043a83db0f4ccc0610e72e81d3bfe766629c3916fd4c0a
Instruction ID: 1811b59c37cffcd03e3587774cfb1920700a5dc6c66ab98a1c37b45b38288743
Opcode Fuzzy Hash: c15e912a4ece3bdbf6043a83db0f4ccc0610e72e81d3bfe766629c3916fd4c0a
Instruction Fuzzy Hash: 4911A371B15675BED7344B678C45EE7BEADFB137A8F004226B509C2080D6659842D6F0

Function 00903429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009034BA

Strings

edit, xrefs: 0090348F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ed364ba12c6fc8cde46e86371a919c6e5414173ff4423b59d8465d925969c92f
Instruction ID: abbb4b45d946affc7573829d1ba421c5dded5b3eec9a59097724021f4e7b9a9a
Opcode Fuzzy Hash: ed364ba12c6fc8cde46e86371a919c6e5414173ff4423b59d8465d925969c92f
Instruction Fuzzy Hash: 0611BC71100208AFEB228F64DC80AAB37AEEF05778F508724F9609B1E0C771DC91AB60

Function 008D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

CharUpperBuffW.USER32(?,?,?), ref: 008D6CB6
_wcslen.LIBCMT ref: 008D6CC2

Strings

STOP, xrefs: 008D6CBC, 008D6CC1

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 636a660f593f60c47edc488dd526145fd5c8bd90d70d8e9b59c1836d41b9f9f7
Instruction ID: 164c64bf6c46b515edca84728f0035bfa7662594cb847b478db88a7ce8ccbbe4
Opcode Fuzzy Hash: 636a660f593f60c47edc488dd526145fd5c8bd90d70d8e9b59c1836d41b9f9f7
Instruction Fuzzy Hash: 0F010432A2452F8ACB20AFBDDC809BF37A5FB60714B000626E852D2295FA32D920C650

Function 008D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008D1D4C

Strings

ListBox, xrefs: 008D1D16
ComboBox, xrefs: 008D1CEB

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fbe30c2be681ace284ba9d63386c163cdc546f09843a5e2d5c95a64d99da6872
Instruction ID: 950922de4d878195271afd0fb1b4d1fddb000361babf7b07bbc222004a129f00
Opcode Fuzzy Hash: fbe30c2be681ace284ba9d63386c163cdc546f09843a5e2d5c95a64d99da6872
Instruction Fuzzy Hash: 8201B571611218ABCF14EBA8CC55CFE73A9FF56354F04071AF866D73C5EB3199088662

Function 008D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008D1C46

Strings

ListBox, xrefs: 008D1C10
ComboBox, xrefs: 008D1BE5

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 63adcf300d86f0c2b6acf692e60619128a4f2feaef667b8b42238ca29cc65185
Instruction ID: ea79c314741aa9a9db1104992804e17794c7f1c4be9f4ecfa18e734213a89084
Opcode Fuzzy Hash: 63adcf300d86f0c2b6acf692e60619128a4f2feaef667b8b42238ca29cc65185
Instruction Fuzzy Hash: 1201D4717901087ADF04EB94C956DFF73A8FF65344F10011AE446E3382EA209B0886B3

Function 008D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008D1CC8

Strings

ListBox, xrefs: 008D1C94
ComboBox, xrefs: 008D1C69

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1d59a96fafb3d05b9f7739a73a8d1977523b8abd33df9c02457059542dccd7c5
Instruction ID: 0bac762974cae7035b21b1f6df954fb7d5f79ccb7c8ebeef1af8741c74b0122c
Opcode Fuzzy Hash: 1d59a96fafb3d05b9f7739a73a8d1977523b8abd33df9c02457059542dccd7c5
Instruction Fuzzy Hash: B2018FB179011876CF14EBA9CA46AFE73A8FF11344F140116A846E3381EA219F088673

Function 008D1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008D1DD3

Strings

ListBox, xrefs: 008D1DA0
ComboBox, xrefs: 008D1D75

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c155db273dbf2326694d1254f8bc4995d1c6d29319a7214dd31ee3f043e36b58
Instruction ID: 60dc4995e01cdbfb6a2a7c9ff150dd0ec51b52c746c2d933746e4fc5edb9b7ec
Opcode Fuzzy Hash: c155db273dbf2326694d1254f8bc4995d1c6d29319a7214dd31ee3f043e36b58
Instruction Fuzzy Hash: 22F0D671B502186ACB04A7A8CC56EFE7378FF55354F040A16F466E33C1DB609A088662

Function 008F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008F7493
_wcslen.LIBCMT ref: 008F74B9

Strings

3, 3, 16, 1, xrefs: 008F7483

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: beec4bc1fed0171431852b5fae93fa802ff5aa9676549643561b159761661e6e
Instruction ID: 4ca30a7bb6cd1ba5fc6cf2a2c0d6ca2e1f9b80bc83ca2d245705606bdc1d5e87
Opcode Fuzzy Hash: beec4bc1fed0171431852b5fae93fa802ff5aa9676549643561b159761661e6e
Instruction Fuzzy Hash: 0EE02B0220422410A231327DACC1D7F5A89FFD9750B14282BFB81C227AEA948D9293A6

Function 008D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008D0B23

Strings

Error allocating memory., xrefs: 008D0B1C
AutoIt, xrefs: 008D0B17

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 6b85482de697a766eb5dca2f6bf94437990e20c73cf8a71433c15565f53e9699
Instruction ID: 9851f3a24d35a5c80e1daad12bd076017256f2f2fe2c59c9d89028d7a059e89c
Opcode Fuzzy Hash: 6b85482de697a766eb5dca2f6bf94437990e20c73cf8a71433c15565f53e9699
Instruction Fuzzy Hash: 28E020712483187ED62437587C03F897BC4EF05F65F100527F798D55C38AD164A01BEA

Function 00890D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0088F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00890D71,?,?,?,0087100A), ref: 0088F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0087100A), ref: 00890D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0087100A), ref: 00890D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00890D7F

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8a3ef03dbe51b2469d2c5d483f04fe8adc3e4bbd1074ee06d5e0426dc265c315
Instruction ID: 5478c0b7d9b8e597682d8e4d5e8fba99e075d9e8e6bdbe08a08c085496be2aa7
Opcode Fuzzy Hash: 8a3ef03dbe51b2469d2c5d483f04fe8adc3e4bbd1074ee06d5e0426dc265c315
Instruction Fuzzy Hash: 46E092B42007418FEB30AFBCD4087427BE4FF00744F048A2DE8A6C6A96DBB0E4489F91

Function 008E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008E302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 008E3044

Strings

aut, xrefs: 008E3038

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: afab87a81dc6abade14f0d1188ad96b59bc2d2834aa24c371cfede45ee5381f8
Instruction ID: 1979d86f180737ea48c7d5705dd8fd89a0376b67d827aa0628fdb6478bd0e9fc
Opcode Fuzzy Hash: afab87a81dc6abade14f0d1188ad96b59bc2d2834aa24c371cfede45ee5381f8
Instruction Fuzzy Hash: F9D05EB25003287BDA20A7A8AC0EFCB3A6CDB05750F4002A1B665E20D5DAB0D984CAD0

Function 00902322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0090233F

Part of subcall function 008DE97B: Sleep.KERNEL32 ref: 008DE9F3

Strings

Shell_TrayWnd, xrefs: 00902325

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1a83eb0367693cc7b23bba23b94ed6ec5dfe732e5b9e164db0784255b9f6c0dc
Instruction ID: ecacf5a11856643dbd06f83816fe68b4201762c5a449475293aa9dab8c95ca89
Opcode Fuzzy Hash: 1a83eb0367693cc7b23bba23b94ed6ec5dfe732e5b9e164db0784255b9f6c0dc
Instruction Fuzzy Hash: DBD0C9B63A9310BAE668B7709C5FFC66A58AB40B14F104A167646AA1D0C9A0A8019A54

Function 00902356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090236C
PostMessageW.USER32(00000000), ref: 00902373

Part of subcall function 008DE97B: Sleep.KERNEL32 ref: 008DE9F3

Strings

Shell_TrayWnd, xrefs: 00902365

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 539d9d44b0ccbaf73b8730ba8854f7ca81e5870f7501657552d7dd65c08ce876
Instruction ID: 395933432c89db3264f138d87c0feb3bfe271517fefa4aaa74cf3c08dda371ec
Opcode Fuzzy Hash: 539d9d44b0ccbaf73b8730ba8854f7ca81e5870f7501657552d7dd65c08ce876
Instruction Fuzzy Hash: 32D0C9B6399310BAE668B7709C4FFC66A58AB44B14F504A167646EA1D0C9A0A8019A54

Function 008ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008ABE93
GetLastError.KERNEL32 ref: 008ABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008ABEFC

Memory Dump Source

Source File: 00000000.00000002.2122090269.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2122059864.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122193904.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122265148.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122293628.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e8729af220de2fe4fa51ccf0da21c9f3f7bbfffa8b6d4bf82d7acaf24e0c5217
Instruction ID: 0b61ccf394e7bc5c74a16449df6f59b0b56f4c4e0bc91b96f7473a34fedab877
Opcode Fuzzy Hash: e8729af220de2fe4fa51ccf0da21c9f3f7bbfffa8b6d4bf82d7acaf24e0c5217
Instruction Fuzzy Hash: B7410534605206AFEF218FA8CC54AAA7BA4FF03310F184269F959D75A2EF308C10DB61

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2271015572.0000022925ABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2233426200.000002292D1A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264934062.0000022925ABA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2267464509.000002292CAE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241593121.000002292CAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234051225.000002292CAE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2233956823.000002292D172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258626655.000002292C088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2233956823.000002292D172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258626655.000002292C088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2254741816.0000022925ED0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262627723.0000022925ED0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271015572.0000022925ABA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2306271225.000002292CAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241593121.000002292CAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234051225.000002292CAE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2250332610.0000022926998000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280781843.000002292699C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2250332610.0000022926998000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2280781843.000002292699C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2119885542.0000022924964000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bound onEnabledPrefChangehttps://www.aliexpress.com/nimbus-desktop-experimentshttps://www.facebook.com/_generateVariablesOnlySchema_validateBranches/schema<https://www.wikipedia.org/Testing targeting expression:1tog0cdkasggly29o8xqc6p37optInToExperiment/recipe<https://www.leboncoin.fr/nimbus-desktop-experimentsmain/nimbus-desktop-experimentshttps://www.amazon.co.uk/rs-experiment-loader-timeroptInToExperiment/branch< equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2233956823.000002292D172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2119885542.0000022924964000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258626655.000002292C088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2233956823.000002292D172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258626655.000002292C088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2322827953.0000022921EFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905402062.00000147D3003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3906080801.000001AB4CB0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2322827953.0000022921EFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905402062.00000147D3003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3906080801.000001AB4CB0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2322827953.0000022921EFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3905402062.00000147D3003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3906080801.000001AB4CB0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2267649308.000002292CAC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2282069832.000002292CAC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2254741816.0000022925ED0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2300686626.000002292CA21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252710536.00000229265C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2306271225.000002292CAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2241593121.000002292CAE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2234051225.000002292CAE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2300686626.000002292CA21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2254741816.0000022925ED0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262627723.0000022925ED0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49868 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a0db2de6-1356-4b50-aed9-b90b8e0410fc.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_a0db2de6-1356-4b50-aed9-b90b8e0410fc.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1EARW9TUGSEIOLD6ER95.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GZGTLR0P67T7P0MSAY4C.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre